dc5c1bf0e90026a56314371350cdeb253d2a35d30a0bdc9cfbf54abe53ded8b8

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c28ff4a8ab39435c325f9e6b8d5b600N.exe
Size

72KB
MD5

4c28ff4a8ab39435c325f9e6b8d5b600
SHA1

fac7bfa69ed05b5e3f36401457921c23b6ecc7a4
SHA256

dc5c1bf0e90026a56314371350cdeb253d2a35d30a0bdc9cfbf54abe53ded8b8
SHA512

cb1593f93aa385dfd65b67441e85bd6b9a42f14f782a441b7b4d8c40680b4a05db2b49447adc00a1b7d38b8ee717b92858ae4adc6e6f2a502edfa6ce24056ed5
SSDEEP

1536:m/DOgp9krVIbE44klQTNsqXcNi2RrLKB498LKJAvvvoyi:m/DeVIb54kaW5uB+8Li

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmcojh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmcojh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfgjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhlejnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eadopc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfbploob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbpgbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fljcmlfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfifmnij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liimncmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofbch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfbploob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heapdjlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcbihpel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkffog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbaipkbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbpnkama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcpclbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffimfqgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeqmoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdbiedpa.exe

Executes dropped EXE 64 IoCs

pid	Process
4032	Eabbjc32.exe
1340	Elgfgl32.exe
1260	Eofbch32.exe
2612	Eadopc32.exe
2088	Edbklofb.exe
4556	Fljcmlfd.exe
4372	Fcckif32.exe
4828	Febgea32.exe
1732	Fhqcam32.exe
4872	Fbnafb32.exe
1624	Ffimfqgm.exe
1004	Fkffog32.exe
4780	Fbpnkama.exe
4576	Fhjfhl32.exe
4968	Gododflk.exe
3304	Gfngap32.exe
2244	Ghlcnk32.exe
1436	Gkkojgao.exe
1672	Gcagkdba.exe
3824	Gdcdbl32.exe
2076	Ghopckpi.exe
3092	Gcddpdpo.exe
4060	Gfbploob.exe
3100	Ghaliknf.exe
4252	Gokdeeec.exe
444	Gcfqfc32.exe
3312	Gfembo32.exe
1012	Gkaejf32.exe
4088	Gomakdcp.exe
3600	Gfgjgo32.exe
4324	Hmabdibj.exe
4128	Hckjacjg.exe
2628	Hfifmnij.exe
3076	Hmcojh32.exe
2140	Hbpgbo32.exe
3396	Heocnk32.exe
4332	Hodgkc32.exe
4896	Hcpclbfa.exe
2820	Heapdjlp.exe
840	Hmhhehlb.exe
4012	Hcbpab32.exe
5072	Hbeqmoji.exe
3480	Hioiji32.exe
1704	Hkmefd32.exe
2008	Hbgmcnhf.exe
1300	Immapg32.exe
1476	Icgjmapi.exe
4044	Iehfdi32.exe
4448	Ikbnacmd.exe
3660	Icifbang.exe
1212	Iejcji32.exe
4236	Imakkfdg.exe
3484	Ippggbck.exe
3712	Ibnccmbo.exe
3520	Ilghlc32.exe
4568	Icnpmp32.exe
5008	Iikhfg32.exe
1348	Ilidbbgl.exe
1768	Ibcmom32.exe
2060	Jmhale32.exe
3160	Jcbihpel.exe
3828	Jedeph32.exe
3760	Jmknaell.exe
4800	Jcefno32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmdqgd32.exe	Kemhff32.exe
File created	C:\Windows\SysWOW64\Hodgkc32.exe	Heocnk32.exe
File created	C:\Windows\SysWOW64\Lmldgi32.dll	Iehfdi32.exe
File opened for modification	C:\Windows\SysWOW64\Iejcji32.exe	Icifbang.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Hckjacjg.exe	Hmabdibj.exe
File opened for modification	C:\Windows\SysWOW64\Icifbang.exe	Ikbnacmd.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Bdkfmkdc.dll	Klqcioba.exe
File created	C:\Windows\SysWOW64\Kiljkifg.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Hkmefd32.exe	Hioiji32.exe
File created	C:\Windows\SysWOW64\Icnpmp32.exe	Ilghlc32.exe
File opened for modification	C:\Windows\SysWOW64\Jlednamo.exe	Jifhaenk.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ghaliknf.exe	Gfbploob.exe
File opened for modification	C:\Windows\SysWOW64\Mmlpoqpg.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Lpqiemge.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Lpcfkm32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Gebgohck.dll	Leihbeib.exe
File opened for modification	C:\Windows\SysWOW64\Mibpda32.exe	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Hikhen32.dll	Ghlcnk32.exe
File opened for modification	C:\Windows\SysWOW64\Ippggbck.exe	Imakkfdg.exe
File opened for modification	C:\Windows\SysWOW64\Iikhfg32.exe	Icnpmp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Klqcioba.exe	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Mmlpoqpg.exe	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Fhqcam32.exe	Febgea32.exe
File opened for modification	C:\Windows\SysWOW64\Kepelfam.exe	Kbaipkbi.exe
File created	C:\Windows\SysWOW64\Dakipgan.dll	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gkaejf32.exe	Gfembo32.exe
File created	C:\Windows\SysWOW64\Fpeohm32.dll	Hbeqmoji.exe
File created	C:\Windows\SysWOW64\Ipdejo32.dll	Ikbnacmd.exe
File created	C:\Windows\SysWOW64\Efjecajf.dll	Kedoge32.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Nngokoej.exe
File created	C:\Windows\SysWOW64\Ngbpidjh.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Collmj32.dll	Elgfgl32.exe
File created	C:\Windows\SysWOW64\Eadopc32.exe	Eofbch32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8076	7988	WerFault.exe	319

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghaliknf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcbpab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfbploob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hckjacjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfifmnij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmcojh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbeqmoji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eadopc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbaipkbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcfqfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcpclbfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heapdjlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbjcolha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlednamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elgfgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hioiji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gododflk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkmefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gokdeeec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilidbbgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmhale32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmmjgejj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmdqgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kepelfam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eofbch32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mifnjj32.dll"	4c28ff4a8ab39435c325f9e6b8d5b600N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjfkopm.dll"	Ffimfqgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmdhh32.dll"	Febgea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gododflk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmldgi32.dll"	Iehfdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcbpab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpafo32.dll"	Kbaipkbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkkojgao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hodgkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcpclbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbeqmoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkhie32.dll"	Ilidbbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbaipkbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hckjacjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll"	Liimncmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lingibiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilghlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 4032	2904	4c28ff4a8ab39435c325f9e6b8d5b600N.exe	85
PID 2904 wrote to memory of 4032	2904	4c28ff4a8ab39435c325f9e6b8d5b600N.exe	85
PID 2904 wrote to memory of 4032	2904	4c28ff4a8ab39435c325f9e6b8d5b600N.exe	85
PID 4032 wrote to memory of 1340	4032	Eabbjc32.exe	86
PID 4032 wrote to memory of 1340	4032	Eabbjc32.exe	86
PID 4032 wrote to memory of 1340	4032	Eabbjc32.exe	86
PID 1340 wrote to memory of 1260	1340	Elgfgl32.exe	87
PID 1340 wrote to memory of 1260	1340	Elgfgl32.exe	87
PID 1340 wrote to memory of 1260	1340	Elgfgl32.exe	87
PID 1260 wrote to memory of 2612	1260	Eofbch32.exe	88
PID 1260 wrote to memory of 2612	1260	Eofbch32.exe	88
PID 1260 wrote to memory of 2612	1260	Eofbch32.exe	88
PID 2612 wrote to memory of 2088	2612	Eadopc32.exe	89
PID 2612 wrote to memory of 2088	2612	Eadopc32.exe	89
PID 2612 wrote to memory of 2088	2612	Eadopc32.exe	89
PID 2088 wrote to memory of 4556	2088	Edbklofb.exe	91
PID 2088 wrote to memory of 4556	2088	Edbklofb.exe	91
PID 2088 wrote to memory of 4556	2088	Edbklofb.exe	91
PID 4556 wrote to memory of 4372	4556	Fljcmlfd.exe	92
PID 4556 wrote to memory of 4372	4556	Fljcmlfd.exe	92
PID 4556 wrote to memory of 4372	4556	Fljcmlfd.exe	92
PID 4372 wrote to memory of 4828	4372	Fcckif32.exe	93
PID 4372 wrote to memory of 4828	4372	Fcckif32.exe	93
PID 4372 wrote to memory of 4828	4372	Fcckif32.exe	93
PID 4828 wrote to memory of 1732	4828	Febgea32.exe	94
PID 4828 wrote to memory of 1732	4828	Febgea32.exe	94
PID 4828 wrote to memory of 1732	4828	Febgea32.exe	94
PID 1732 wrote to memory of 4872	1732	Fhqcam32.exe	95
PID 1732 wrote to memory of 4872	1732	Fhqcam32.exe	95
PID 1732 wrote to memory of 4872	1732	Fhqcam32.exe	95
PID 4872 wrote to memory of 1624	4872	Fbnafb32.exe	96
PID 4872 wrote to memory of 1624	4872	Fbnafb32.exe	96
PID 4872 wrote to memory of 1624	4872	Fbnafb32.exe	96
PID 1624 wrote to memory of 1004	1624	Ffimfqgm.exe	97
PID 1624 wrote to memory of 1004	1624	Ffimfqgm.exe	97
PID 1624 wrote to memory of 1004	1624	Ffimfqgm.exe	97
PID 1004 wrote to memory of 4780	1004	Fkffog32.exe	98
PID 1004 wrote to memory of 4780	1004	Fkffog32.exe	98
PID 1004 wrote to memory of 4780	1004	Fkffog32.exe	98
PID 4780 wrote to memory of 4576	4780	Fbpnkama.exe	99
PID 4780 wrote to memory of 4576	4780	Fbpnkama.exe	99
PID 4780 wrote to memory of 4576	4780	Fbpnkama.exe	99
PID 4576 wrote to memory of 4968	4576	Fhjfhl32.exe	100
PID 4576 wrote to memory of 4968	4576	Fhjfhl32.exe	100
PID 4576 wrote to memory of 4968	4576	Fhjfhl32.exe	100
PID 4968 wrote to memory of 3304	4968	Gododflk.exe	101
PID 4968 wrote to memory of 3304	4968	Gododflk.exe	101
PID 4968 wrote to memory of 3304	4968	Gododflk.exe	101
PID 3304 wrote to memory of 2244	3304	Gfngap32.exe	102
PID 3304 wrote to memory of 2244	3304	Gfngap32.exe	102
PID 3304 wrote to memory of 2244	3304	Gfngap32.exe	102
PID 2244 wrote to memory of 1436	2244	Ghlcnk32.exe	103
PID 2244 wrote to memory of 1436	2244	Ghlcnk32.exe	103
PID 2244 wrote to memory of 1436	2244	Ghlcnk32.exe	103
PID 1436 wrote to memory of 1672	1436	Gkkojgao.exe	104
PID 1436 wrote to memory of 1672	1436	Gkkojgao.exe	104
PID 1436 wrote to memory of 1672	1436	Gkkojgao.exe	104
PID 1672 wrote to memory of 3824	1672	Gcagkdba.exe	105
PID 1672 wrote to memory of 3824	1672	Gcagkdba.exe	105
PID 1672 wrote to memory of 3824	1672	Gcagkdba.exe	105
PID 3824 wrote to memory of 2076	3824	Gdcdbl32.exe	106
PID 3824 wrote to memory of 2076	3824	Gdcdbl32.exe	106
PID 3824 wrote to memory of 2076	3824	Gdcdbl32.exe	106
PID 2076 wrote to memory of 3092	2076	Ghopckpi.exe	107

C:\Users\Admin\AppData\Local\Temp\4c28ff4a8ab39435c325f9e6b8d5b600N.exe
"C:\Users\Admin\AppData\Local\Temp\4c28ff4a8ab39435c325f9e6b8d5b600N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\Eabbjc32.exe
  C:\Windows\system32\Eabbjc32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\SysWOW64\Elgfgl32.exe
    C:\Windows\system32\Elgfgl32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\SysWOW64\Eofbch32.exe
      C:\Windows\system32\Eofbch32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1260
    - - C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\SysWOW64\Edbklofb.exe
        
        C:\Windows\system32\Edbklofb.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Febgea32.exe
        
        C:\Windows\system32\Febgea32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Gfngap32.exe
        
        C:\Windows\system32\Gfngap32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        23⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        29⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        30⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3600
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        41⤵
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        46⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        47⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        48⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        52⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4236
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        54⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        55⤵
        Executes dropped EXE
        
        PID:3712
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        58⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        63⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        64⤵
        Executes dropped EXE
        
        PID:3760
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        66⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        69⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        70⤵
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5024
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        74⤵
        
        PID:632
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        77⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        80⤵
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        81⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        82⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        83⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        84⤵
        
        PID:984
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        85⤵
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        86⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        89⤵
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        91⤵
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        93⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        95⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        96⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        98⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        104⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        110⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5984
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        113⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        114⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        115⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        116⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        117⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        118⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        122⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        123⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        128⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        130⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        131⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        133⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        134⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        135⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        136⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        137⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        138⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        140⤵
        
        PID:316
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        143⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        144⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        146⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        147⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        148⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        149⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        151⤵
        
        PID:760
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        154⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        155⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        156⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        159⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        161⤵
        Modifies registry class
        
        PID:6352
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:6396
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        163⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        164⤵
        Drops file in System32 directory
        
        PID:6484
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        165⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        166⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        167⤵
        Drops file in System32 directory
        
        PID:6616
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        168⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        169⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:6748
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:6792
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        172⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6880
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:6940
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:7036
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:7100
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7152
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        179⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        180⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        181⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        182⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:6584
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        184⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        185⤵
        Drops file in System32 directory
        
        PID:6756
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6824
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        187⤵
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6956
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        189⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        190⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        191⤵
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        192⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        193⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6540
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:6700
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        195⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6948
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        197⤵
        Drops file in System32 directory
        
        PID:7096
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6280
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        199⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6732
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        201⤵
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        202⤵
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        203⤵
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        204⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        205⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        206⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        207⤵
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        208⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7164
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        210⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        211⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7200
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        213⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        214⤵
        Drops file in System32 directory
        
        PID:7288
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        215⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7376
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        217⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7468
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        219⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7512
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        220⤵
        System Location Discovery: System Language Discovery
        
        PID:7556
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        221⤵
        Modifies registry class
        
        PID:7596
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        222⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7636
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        223⤵
        Drops file in System32 directory
        
        PID:7680
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        224⤵
        Drops file in System32 directory
        
        PID:7724
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7768
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7812
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        227⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        228⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7904
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        229⤵
        Drops file in System32 directory
        
        PID:7944
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        230⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 416
        231⤵
        Program crash
        
        PID:8076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7988 -ip 7988
1⤵
PID:8052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ageolo32.exe

Filesize
72KB

MD5
0abcb094fccf88a2c8dea704bf0e2371

SHA1
638d2b830a961e9df86a0ac4697706ff36c09a3e

SHA256
2e834e7a9c7f8a6a2775dc2bc541862e291afe74ae29fb8f6c8315390f6d1e31

SHA512
5ad4e712f0865fceb1d1e8d657d006a2c1c34b1bada1d28d8f9c1e6759a9b6668365312209c797c1d11e5c04aacb1236a65b342a204b97a3c48fc1653cebac3b

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
72KB

MD5
408aeb21963444780529ee828cb36df6

SHA1
46ce1ab65524c2cedcc417588b5fb786917f7d3c

SHA256
0854d1dacc5a69c1a1a1a42007f9cac326e9f72745b4ac0f8db1d156b67b0e3a

SHA512
6dbe2eabae6a2a38963d3eca3794d2be20cd9cfc4141a134dd992075213af91665fd2330c9171a7f7e125be786c72ca238dab29f67425a8d366760ce9d4a08fe

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
72KB

MD5
d4ab9e27a8e4abc592f7f111a0dd1b69

SHA1
bf4311be9b948f3ed56495008e815d1ed722d828

SHA256
7084cd3e37159a5af1471da610815040e666394946220b114f2942752e0392e5

SHA512
d3bbc2fe8da3120689454fd7a4ddeb99b7f54e7253d9050c018139134e8db8ba8ed89d0f6b4bf9b6b3a9d307af127f58012704f94f60d2291a1cf2303d9b6ed7

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
72KB

MD5
5b5de9d1e30e89ebcd67411b62e25432

SHA1
5a79e1ddf2f738dbb4a9ee2e2b7f346a8c77b77f

SHA256
6ba88a9dd21c08fa8163d8b496745ea93f8c38ff9136f7f8588d98fce159f086

SHA512
b443d430275df24f55bc5a74ae0ad7afe1323e036bd1815cd8f467b6224c3e4b782ab77db9581775fe670ab31d897aebb5a29fae6a2e19482ba27a79ad5ef059

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
72KB

MD5
3ece46f971a99aeb9874a7804d0e1be8

SHA1
1d9b737cbde6a1d3e035ce2b9ca0a9664a317d9c

SHA256
91edfbf71ed6664366eeb02f6a459f6d90a6242ea2e9255d6ed241b860782e4b

SHA512
d61b2f761e6a76c7c05734a91cda70e34779f2c54fe76680a908125b132f01dc84c9243afc94f662ac4fa0a918607dea0d82fde230f3f3625e578722baff395a

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
72KB

MD5
b460ca5a3f0c53b8e24f87d2ae841661

SHA1
8ac5ad95562554368056df3f648f89ff0b560e70

SHA256
ba9314769b652ced87020f06b58858d6c643dfdf16fd31e2aec0b2738116a6b1

SHA512
b5044680806479b57d8189e0c46b55acf0162db86ae80cfbb0d2a464031f4f19e41d77a0d970c1c58a4afb9b48fdb09b54a92371320f714fef53085ba369e9f9

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
72KB

MD5
d04165b6fd6c4a4e5c198b96dac905d7

SHA1
c739ac574e9e6dd81869807f2b1c88a7486674f6

SHA256
e59d0006037f4d2c43e469ddbbcd2c873263d9e3ebf8b0eb67c7fdc98120a759

SHA512
da9cf8be3d8d096ad4f2eb283249067d61994fc8b72a25dcbb249baaa1aca65efaa556fb667c29ba599f4d518868592d64a840b104c3d22a9a0537515b91c978

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
72KB

MD5
71893059de258e2f72b35dc04484994b

SHA1
e1c5a3d72094923028f4d4e43a94445248f4bd00

SHA256
4da479c37a27e713f3a60bc061ad79deff63d4e22617c13c226c2ec583037bf8

SHA512
4ebd50fbf31183added2c9b73edf0c29e434fa207a168ec943fcd219f6aa769269a49a22fc2070f8b61e09014733e3903af33fb02a66a8f1c960e686d2fe7856

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
72KB

MD5
6dec08e3047db5aa75093f26d647c8c3

SHA1
e37afa5336f7bcf96d3febfa51094ec91786fd3e

SHA256
2e5798f95fb4405fd0e33d65bd0ed7abbaa6d72ca8c7512351321df6429939ea

SHA512
4622692ec41434a69f8b1e12b3a9c07e0c8cdc6566d5d355675dcd22d9f269d62f7cce2cf41c5799cc1ca286b552b2e8ab61c4249805ae040338ac8ed11b6491

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
72KB

MD5
c16b769e085d0b1c3092e00d68eee12f

SHA1
3e0159c98e8abbe495e403756bd322ccf4165304

SHA256
20ad0b21b9e5c6eb41674f98f2f4dc6418b5ecaae8e6b7f22b7489e0dad48f0f

SHA512
845d3f12c97e8dfb5c2bafbc0a969e1a32ceed4a613fe299de3450871f832de0500c67857a2d8c6c0213c76c05c45d6cd20b216bcc97735fe95106baab9dc29b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
72KB

MD5
891a2cde7409e1a4da409f571e419776

SHA1
c0c5db98136174a8df3075ae0e2479e64d573070

SHA256
cb51c76acfeff6a9aa99f90368030bd6188d247f4fda89d405acbdaa2a4ea26e

SHA512
9b0ff94ee2ca6ca97bd11d9f300b9ab5f3e56a71017e946097621bff37362611a42844cfdf302b1046f705f63c0df7fcf1e8702aec02de706a5e199370aa1766

Download Submit
C:\Windows\SysWOW64\Eabbjc32.exe

Filesize
72KB

MD5
1e13cc9e02870c03526e5399c40b37d0

SHA1
f99e207ea770d1b93a515c32b0b54b47c5a271f2

SHA256
80f4a7571e2059d5cb196dbfc8dbd20d4fc501c381e7d596eb08764358a6f59f

SHA512
982694e64ea7f400911d051c6e66a174f7a772428c6ee3cbd7966a969b495194ca627b6660aadfd0c2b56fc1d9256d613e04ea418c15622ce28ce2711bf6123e

Download Submit
C:\Windows\SysWOW64\Eadopc32.exe

Filesize
72KB

MD5
bcd70910a475419090f9ea08293c7000

SHA1
415b8e22cb32f857145057cc6e09027f7c904187

SHA256
37df27fcb57e6adf0606e7cf8058774e264a0bc4f90b47d275ac7b93019b7bc8

SHA512
aa2ccd06dbdfe7149aea4e3a859cef0d38e3d55a42ea185a872a43152a5d12b88665e64674667767b4872b73130e0a87d6f564208218ad92b729633d624282c8

Download Submit
C:\Windows\SysWOW64\Edbklofb.exe

Filesize
72KB

MD5
fce71b003ab88f07e888d58012d55268

SHA1
337ee8e159c499309601f8e0bea753e3c4df318b

SHA256
23a222666b093369f2a53a4c25af403f4984fc48dffe438cf30537a8d622164e

SHA512
96dd0a23095e41e6aa52c819dea9304c559a344787fab7b83694ec318ded5a19268fe1d870aa930374edc5abc90e7185076ebff4491864c2cca469fd79e40c46

Download Submit
C:\Windows\SysWOW64\Elgfgl32.exe

Filesize
72KB

MD5
9acd6c980bc9e99fbfd6a5086612b159

SHA1
41e54d321087116025721b4ed508e9e1ed09dfff

SHA256
e61edd52a68c0a1eab42bbf75d76b44230b36882b5613f47651506ed9d6ee3f0

SHA512
bf73ea818fc14dc525f053d8c69eda7f4844368fbd2fff2120623b426867503175d946a15268e617ced4b7ffdcedeff50bd199acadce01aa63615f40cf811544

Download Submit
C:\Windows\SysWOW64\Eofbch32.exe

Filesize
72KB

MD5
ddb159661f0cba421c87a440b473ef55

SHA1
7258cbeef6735cf22cc2e8dacd2ec5a8190bbcce

SHA256
0221c6e6f59abbee4c89510afb28e59268169aec0fc00b742f38eb61514ec786

SHA512
03fe389bd37c8fa835aebb9d3111ddd9a30557fe1fe90e4f3bda3dd97e5a17ca0e308097d1e098d63e1c620c626b7c4439dfb683c106d4775c97e121cc6fb90f

Download Submit
C:\Windows\SysWOW64\Fbnafb32.exe

Filesize
72KB

MD5
fb1dc4f2940514028119ef9c2849acca

SHA1
1955e37d1b196b0c489c94c6632f0214ec789b74

SHA256
61d87a3d7d710a85976c6a5fd18e5fc5e5dc6d59d7e641eb8e378b8dd974bdf2

SHA512
3dac562de83be34d0a9cf5ba117a4538d9da9302f791f874eebbf28c778c4eaf72456fbdb7c8707bcca63de54b3e325a8eafeab9962c7615d1b5dc309782ba9b

Download Submit
C:\Windows\SysWOW64\Fbpnkama.exe

Filesize
72KB

MD5
cf863cce46bba1bd3751b6944a6b0d18

SHA1
65d237cf055b4e75a3c6d5db5a362aeea6eb4b3f

SHA256
4ae4c2250c84dcfc33905e6d667f9d9e1406a7b842cae6eeb9f95843c5f19181

SHA512
9e581869eefe89abf3c816be306d2cf7922928acbd80e84c5f747937383e389ebf73068e27a50bff3d14f64ce7f6f2c25ddbaf531625e2c710bff37e2158cac9

Download Submit
C:\Windows\SysWOW64\Fcckif32.exe

Filesize
72KB

MD5
e2ccc518a4968bbb35fca032091eb9cb

SHA1
d405bdcc373c8bdc1758b1d4790cefbd02287a7c

SHA256
b066d6e30b732d859fe5dbdcceaf0d2970aff0ce5499bae82d0c7fe298debace

SHA512
b4f47dd97095dfa0ba8bfba1275d7b4c9c97b5b90fdc977d8caa98ad9e16d348e498717717fdda74ad2d055813ed24c3c62bf788918da1b2b81f8605dd7c4cc8

Download Submit
C:\Windows\SysWOW64\Febgea32.exe

Filesize
72KB

MD5
ee172326a7b57f657c9a9d3db2175df7

SHA1
5904cd59429c666303ee20fe43994268483295ab

SHA256
d60ee14379b387c39805751296955c421882f687fd206c737b1bf9993209d771

SHA512
08fd313f4be0f04cd7c576a84cc4f1b7e07c0c2949421770494f699cfa94631ab8f2ee3ccf660c8e82f10431930a1ccdc370373cf3c8c2dd4d427750175439cc

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
72KB

MD5
89ad8bdb68de210277c9aedd8b97d20c

SHA1
fdae4352d9fba6a0764926265ee9b3f3e2baad4d

SHA256
22b6cdb1977d22ebdda2f7782bc8ded936924586d33bc238e7aa3fd8e6f5488d

SHA512
04e8f9f58c0ec0676c8921ecd3750f4dd21301f1bc2a1573048ffe9259247d5ab8fb5acdf48a27cc70947e87f18522035aee3603e19e14d7a9208b3cbfa15569

Download Submit
C:\Windows\SysWOW64\Fhjfhl32.exe

Filesize
72KB

MD5
3aad429f7e2466604cd9045eb1c68c8d

SHA1
8c8a20959eafa0008acc78ae5e40ff2cff579e94

SHA256
f862543fb5e617eaed69c5d45d4d16bbf69073e017f92a73e0fc9ed6c63544c1

SHA512
9f7b33f2c4b6be7e3a903854c35eaf9ebad7202772d1d9da2a0d3afa7f17899393f3587fab6327ca85f5a42a0261095b5cedea0db738fece412233e3386667e3

Download Submit
C:\Windows\SysWOW64\Fhqcam32.exe

Filesize
72KB

MD5
4850c97949be0eefbebb29e62eac7b5c

SHA1
3d7161ffe60a1f51d00dcc342181b91dbfc3af42

SHA256
9d39a4d0c0406c10a6bd2b007ed065c99a51b3f793925a49b8595f3ee0ef3750

SHA512
dacb6280a40c8ed6e773d14019303e60009261dd1c75a220817b1abe88ff938135673bca412993b87a6b41e804e4428f312756e50dea3f5ed271811bc80a0dca

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
72KB

MD5
0d8a13d264e5681eb57fe99cbd240fad

SHA1
b1da7978c4dd905b3b2631a424fa3b138f3ccf68

SHA256
25476b6d9919bc61cce74233f7beda8a5ccce30fc49c930e423b25d8822e65bd

SHA512
b8df8288f07a8f999b0143f08c54a93fa426ea5bbcf27e0d657a0ab6691a4ccbb4c25e43b287fa90be3cff3de9263aa6ea39c35506fafca6a0f4395963f71dab

Download Submit
C:\Windows\SysWOW64\Fljcmlfd.exe

Filesize
72KB

MD5
315029939257b2aeea65acd114b50b59

SHA1
de6a1737e55fe248fc649e9022da1030c1820236

SHA256
2addb91919d6b820c91958e11fbc0e9d9cc87421fc05ed64ccb258eeb46866d6

SHA512
b04674876465c8bda64fee11bd20500c42ad3ee62fcebb6a4683a90028877bce8baefe0513fc0196b15b48d0ff5f175413b7c456a4ca16393878863712534701

Download Submit
C:\Windows\SysWOW64\Gcagkdba.exe

Filesize
72KB

MD5
98392af439bb21045e5702a91326b97d

SHA1
e51a9caf7917ef766743c6440e5ccfc28cfc42d1

SHA256
9c505885072fb60a5e3e8e5b72169adc2d5f6e1d4556136e0b6e9877b6973813

SHA512
bfc80f51425e4091feef21c839bb573dba33018818207f25de0dfe4202562ad80d5fb733f99f9a5671b3e4d66ed75ebeece8892f3e45bbd1a5960bf737e41ada

Download Submit
C:\Windows\SysWOW64\Gcddpdpo.exe

Filesize
72KB

MD5
6e536225e98db25f2d0e9fa9a9756b4d

SHA1
7120d51f3eae2d9ce36cd3e7f603e165032e9bce

SHA256
3d9dd822f592259ac8753eb1de2328c4963c792bb80734d68bf1860e267aef6c

SHA512
6d3ec3ee2b03eb3311a1fcea86ba0f6560f22ddda867c44c330a4e35f95fc33b576b688c3cea60eb44c876e535d9ab93347b659ef692da5088a1314872fdf821

Download Submit
C:\Windows\SysWOW64\Gcfqfc32.exe

Filesize
72KB

MD5
08f1ed5c18ae27e8b8f364b7bbd7caee

SHA1
4a01cc4d9ad3a55affe443ec40faa745af41b1a3

SHA256
ee943e26741b3576afdb92565c655eb091471985bb9269e1fac61830f3392fa4

SHA512
e3d3ad390ddccbbfe30ef377b0c4a928eff8a8a1e32d4b2efbac6abbf162340a4eef17bace0537770ca6e6f5a2bc4299ab9dea9e6bb1439adf23d9388054d52c

Download Submit
C:\Windows\SysWOW64\Gdcdbl32.exe

Filesize
72KB

MD5
1cb1e8474043fc863912568cda3a1dd2

SHA1
fb03baa3296b2c702e20f2863b18ad53db2ec1ae

SHA256
8d6484249aba749ffb2db5d4e2411e001150fcc7c75e2cc8d0e67294b4f7063f

SHA512
63758c94b98d6257b8371c824f3d1f82412adfd3329e8bfc1840108c6a2b3f2ad3ce2d84cd40ac958dd803a7df210d532d3f98aaa5042f858c29686ed392eb0d

Download Submit
C:\Windows\SysWOW64\Gfbploob.exe

Filesize
72KB

MD5
0df9525c801a9714683fdd3246a6eb69

SHA1
6304a545d29f0e2ca467fb1a0d3709d000a04688

SHA256
0f85fccece67e2beab8b72e65f98e19ff30579c2dad2fb0df28b819e69795c9d

SHA512
759eb4f0e929c712659807f39b3eb5f4eefb7c3439e880d8c8a3fafbbd3028a6edb937ebe6fdd334df8a15e0c1bc8413304acbbe1698b0653cc94f12a48a761a

Download Submit
C:\Windows\SysWOW64\Gfembo32.exe

Filesize
72KB

MD5
d9c4b37d5ec156210c5850673342c27b

SHA1
4a9072f8edb26903c99d0628298997530855f843

SHA256
2c819e768a02a358730a2ebeb324380c7cca557986e0fbc3ec38f37f359033d3

SHA512
95940ae6c4c2b88b5ce2a0b33726febbbf425849aa4d5e5db5d333043596d6ea9835a65bc100de10f5db83a5997f246599f6101bee13a2a9e14cf3efb4f6e549

Download Submit
C:\Windows\SysWOW64\Gfgjgo32.exe

Filesize
72KB

MD5
f01bc3505971e17cd7c65fecb74095bc

SHA1
1d6f5040c47c27211b3a2607393eefc268e62991

SHA256
1687871b8055f981a874a1b879735453be366cde26f924e760fa4300361dc217

SHA512
f60ddfbdd86307bcfbbee15d1401b1e323f3c0b471eb9bf2d16e80ded8ca7e3b68e6e13378d7d67bb9b77004cacc87d7cf97f1665f4a3c112b936db73db98824

Download Submit
C:\Windows\SysWOW64\Gfngap32.exe

Filesize
72KB

MD5
ad0ff4cd5ed36da64f1f72b27d426b61

SHA1
740665c98fab29af0fe1008c650ba09524ca7939

SHA256
7535b7c8c5187dddea6d8d4659eb0f7973089c4f73a0945ea39f1863a04c7793

SHA512
3019dfce47ff32b16edfa3e166e7b240eca40f39e410e5b3c24a9c87fa8afd770ea39374b77638d3fe7c2efae6ce0affea8e0304dad73932b78334c121f2a3b0

Download Submit
C:\Windows\SysWOW64\Ghaliknf.exe

Filesize
72KB

MD5
a3899048544db2370bc9dd4d39f5ec5b

SHA1
0b93addc0a3fadfe17f01b5911b17c19c6bb2422

SHA256
d43af5cada6ae7fa0a0986a913a499cf4d9fad7752d89e2bd135845f16e5557f

SHA512
cd3992b27e8b72e250f2237755969b39cb3ed1aa56017d5e4fcb048d16066f83cdd2726cff78b50da4913e71ddb3553376e5c853c47a3ba475c554593f73f1d9

Download Submit
C:\Windows\SysWOW64\Ghlcnk32.exe

Filesize
72KB

MD5
6a8418187984fe1dbfec30d4e726f5a4

SHA1
9f22ca1eec16f746fb8e5c1800dab03dbcadc416

SHA256
a4a6d59ea05af3b9db07a493b58a4a4ead6708a92af2bdc0578a5deb3ea59237

SHA512
06c0e26e6fccb34d6f38d5440b4396e8371274e3b8c54e7e695abd0aa17f6f9b710c49f5d98b3767cc92d9ef020e33f07c350b431be600e5bb9557f1982a9c02

Download Submit
C:\Windows\SysWOW64\Ghopckpi.exe

Filesize
72KB

MD5
5eb5a06464f09bf0a19d83fa1e0fc00c

SHA1
eda1c85bc959cee3ffb9a6f1a21d62be75ba5143

SHA256
5344388705d323f6ee7a9ba7499df65ea205235c142d2f764fd9055ed07058c8

SHA512
a0bcdbfca1027f39c14a68805165250623cef81237a998085fd4e25ab2458cc8015d326033ec292f49c7e9e31cc5b85f6c1916ce6c977c6b6ccd42ac81899c57

Download Submit
C:\Windows\SysWOW64\Gkaejf32.exe

Filesize
72KB

MD5
bd0a921e55ae65faa0dbc305f111a3db

SHA1
aebd4aa72347c238f53991277c201da323b52afa

SHA256
86c3de8c4635f8a5157700ec3dffb85fdf1270c9eee1d5a7b42857866ebfdefb

SHA512
6ce7ebdfdf5f624c9dead6b3028f82780bb680221a8a2279341e6a607f449eff6ce6c46e721038ec50548928b2b201163b71b53b12beda155eb88bbe5a063afd

Download Submit
C:\Windows\SysWOW64\Gkkojgao.exe

Filesize
72KB

MD5
a0e96053084ff250b28f4450101286a2

SHA1
3e8d1ddc919dbfd537a9ddb202f4bf112aa25a4b

SHA256
1618e3d976d7c2d8ab137e26b36867eaf71ab9e9e7184ac131723067b326a352

SHA512
6bf7f357c86f09b0e70f0c705c2def534655c543afd99e5e894dde692e116f6c89bfb5a1b1cb18391d704030e58f8e24e08bea33f0756097acb22b8cd41ce627

Download Submit
C:\Windows\SysWOW64\Gododflk.exe

Filesize
72KB

MD5
226bba666d4a89aa4318c0371163a08a

SHA1
0d4dee52cd20d57a9acc87ede678a9f16c3ae593

SHA256
da7d15ea979760c92f5eb8b9ec6a37f1dcd34dc6db3c72e47dd43038cff7768b

SHA512
0be06ca14d81a733b090faf099c1084fb61ace4445cd7872a35f4c9154fa5c5e52a44dbc908fc7adff835819dba2b4a37077d82f980ae458ea4aefdfe7e7fd6d

Download Submit
C:\Windows\SysWOW64\Gokdeeec.exe

Filesize
72KB

MD5
8ca58eb8a3af1af72268157c7f7f0e4f

SHA1
59cb571d5341a927b5900221ac95b626a174f2fb

SHA256
a3356ec65c5d4822eca4f8ba9a98ecf8993f74a8a882d06b7e565ce4d6ceb4d0

SHA512
ed6aeb0318f2da58253138f7a89769d251ebef2f33397c7bd52bfdc8e982c18fd9aa46d7e95fac402094ca78d628c4a4c3fb5a3c23d3946e667cd228cd27634c

Download Submit
C:\Windows\SysWOW64\Gomakdcp.exe

Filesize
72KB

MD5
f73faf8de9dad9b7a598c4e00d01e50e

SHA1
00e6e7b9ffa6a6e4e8b03c9cfbccbb75c32a02c0

SHA256
32d604c19813d22122cd9a8170316a1b409b30568e76b53b758a769140ec819e

SHA512
53322f5239eeddb6d79568c3523b3b665b0ec4e1f827fed205caf7e9759239a3b78462e5164386efddc3a933853d84c368261d64393071ceb32e280bdeb005d0

Download Submit
C:\Windows\SysWOW64\Hckjacjg.exe

Filesize
72KB

MD5
f39410ff343445649e9078f3bac73372

SHA1
71d5d550516b89f9556168e3f2dbab294d5a0104

SHA256
9ec0cf59ba0ef7683182923fd40b42a3f3a715a870466795829e4e9f279cb944

SHA512
ea14583de335196435b1f2c9e9137b968c068a3e295b58869b8999e26b64d2ea1450378d6eb5307ae82a43a4fe709bedd1430c9812661a6b8a235c103dbbecfb

Download Submit
C:\Windows\SysWOW64\Hmabdibj.exe

Filesize
72KB

MD5
58997dcae52e13c318da39cfa0bd5b5f

SHA1
d7d537572ac83a1293c91d39ce9eb2ae79a373fe

SHA256
52a0f66151f56106b805cef00270fae98c9b16be903c642e0f410755b0377b86

SHA512
7559fb9631be61dcbc009fe7d0ec4a8b38ded8df469af9137df2248a532cb04108cabfe4abd8bfcb4662c41debc40f3e7cd3f991cb7922283b069837f51e69b9

Download Submit
C:\Windows\SysWOW64\Inlekh32.dll

Filesize
7KB

MD5
a58fd12dcf8c96e6e0711a7b8a8bfce2

SHA1
8856917488cd57c7ea83a91f8c076697daae73ba

SHA256
c51f37adb9a6fd3c32a247f17cf7e885c093d82940e925cb0f25bd6fbf3e281d

SHA512
d542e36cdbbeeb5192682fbb80e571b1bc0d2cec031318785a08418d39560ff2e3c331c1f9726eca8696ab3de71c7cc41b9ed63d613642803a9ca82d79060e67

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
72KB

MD5
db25f9392d30b8f9e7a54da40951960b

SHA1
bed7b0cc9d79c1486956467103aa6d7333dd2c79

SHA256
8663e26acf4ced311e8ae543c2adf00bf2db59eec9ac551eea982b74ea1c2db4

SHA512
84b1ac1361b96932114ad6726d1ae763e0d48864a267a9a0f976da0c7e600a28b27e9867a194b78aa641b869cca53d4c6b176d4268cd45b83a4e57ba7703005d

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
72KB

MD5
3cc77242ae41d771098030d8bcb1f1ba

SHA1
71b7a7eff0ad0f84beaaf16ab84ed19590f794c9

SHA256
eca8a2cbd9b359dc8e903d0cdb89dc6a4470ef5c76ddb1db5e85dd9c3ab8abc5

SHA512
80848edb87143bbc7cbece8d88b70b201ca0d1d91e5cdbcc6a0b7b5376c43b84d2f1e23c9daee91329df08045e4929503791a33aff60f3989156eda69da8f484

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
72KB

MD5
a9e2bb14dbe3d914e95405a57e43d0d1

SHA1
3396e286aef30ef775591c84a13d8ae3e03457b5

SHA256
999f7e51db10ce212aeaf4ca0b36d67c24027c759354649d378ed8ee5ef24923

SHA512
4bc94113301aa10830573f133101ef963f1c1d4653fa9df45b393befba620b5ca35877741d4e84a044e4bd7a08a3ac0aad5fb768694cb6823d2f247015c53d02

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
72KB

MD5
a2d34eab554ee1f2da90779eb6ac9769

SHA1
61f3779179c723f783d632a0e19cbd1fa28a791e

SHA256
6fa2be35d41b496601a8afe833d47c1fa2182227ca410183ddc99dbc1cae8f95

SHA512
100c98a75236435f1b5f30dc5353798a1d439d96e26c308f60caf405bd02ade44db18e9308b242ba5205b638f709ad3247d520d5c34ef40d23c07128c01ffbc5

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
72KB

MD5
194e32f387fd1717efe0be9e1d0d54da

SHA1
0ebc5d9b06d28cdb372b9c2368216e024731fd46

SHA256
f8892c5d7fefca0c06e4500f7dc50d7a3909b1d777b3f6fdb09a39f6a6faaa44

SHA512
f6ef792f628fe31d5bce5988dedeb22fde073b1646deab7f78e79785fbe72072fa62fafdcf196f524329723d4c4e185213056588c1241ed2ce4da7dfce6e21a0

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
72KB

MD5
b18dadd7f3420a5f3d98f5ac3cf6a487

SHA1
8499bbe3bb1e52f98c048214754b37c1f1dff192

SHA256
a9182c2e350519ca1f831c892e7d33ec9e4a6f15b85286637f5e20ad32745aa8

SHA512
23c7cefae9b0058d78ef7cd72aec3691d276bef2435706f7e49005e7844ba10f8db960783a78ceda32e9c83f213b0ee859b69fe38b812e37c9581ffcb87aeb3d

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
72KB

MD5
0ea8c2b7b706ed9b0bb2f96a65159dc4

SHA1
9c046bf6f7a7a31adc519ee8a5ede67c66c5315a

SHA256
9d1067280e8d2dc6433e142e9bf98d439be16523663ca4dd9a2b78416bcdeebd

SHA512
1353484f5360a5805f7c1f40e2eba7fd6fafa2b047bc3a7926140f3272953e18e63857c6331ee6b7d0c98bd8a7dc22b916cd7207570ac40bccd5644cae3a04b6

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
72KB

MD5
628b941da363114a8b4be89faa392a26

SHA1
9d2f5cb9afead6717847b6b19d0ef0e9c9607b77

SHA256
7ff83d853f2ddb8ee7871ed9bac6d337a5c306dee7a372bf8afd84470fcacf37

SHA512
48652b2845991666c3abed8e7c9ec986530232a0e3ae75b82478655e50b06c6bfd034a4546654aeb66c047fb0148b2d7d84726848649b5a7b200aa9884dc06f6

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
72KB

MD5
1600416fdd9688608c253ef4c9cee174

SHA1
525f8e743077e781b2f87f0f5be4b24638caa08d

SHA256
20902d9769f523dece01307b510e3a2227630f63e3425be2e8803eb4b48f3975

SHA512
31aa84bddaddd579a78dc312e812c86ad107bc34f21aec1ff7fe6dde2b845d0f57c74b77865879b86b418d3532f12faf30cbad69023813713b91716784e540a4

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
72KB

MD5
bce9ff11f74ff47a0d22373299dbc785

SHA1
c73bb44119fcda94b404055da82e07fa0eec20d5

SHA256
b71f96c2749bd73a5f385daa3a844625af6b30bdb71d8c98cd6baa896d138bd1

SHA512
53e2ac59d08ff80ba427f2543db273dddfe0b890488fb524a01bff0d14497757a8a346d0a1e45e480b24ed00a9a7d18b14534956ac8229b11040cdd8400621d6

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
72KB

MD5
06e11be4e27eb9aa7835084f44333e26

SHA1
9c4a943bc2a261bab9a85c0c425458ba819dea78

SHA256
e41116171a4d675385f63db7868cf05b9f34735f0652c6ff591ef382787519a7

SHA512
49455dd2a629fd0dd433ecda1b50087e6335e8cece71cfe4c630804b71351fcbf964398e57ebc2c39fbb7be6875bcfc610464bd89d3772885d32e79fa1b1ac98

Download Submit
memory/444-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/468-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/840-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/984-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1004-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1212-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3160-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3760-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3828-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4252-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4332-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4800-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6272-1661-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6372-1633-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6416-1678-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6452-1640-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6924-1632-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7332-1618-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7376-1617-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads