85ab539634250ec29ed6ae8b38fb2767e2ed45b05f76d3b4d13f6e2668c9550b

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de942c79ac2cb195bb0f33d0e3c43da0N.exe
Size

384KB
MD5

de942c79ac2cb195bb0f33d0e3c43da0
SHA1

a51e2a8980d6de75f2b487f88a282b22015f5719
SHA256

85ab539634250ec29ed6ae8b38fb2767e2ed45b05f76d3b4d13f6e2668c9550b
SHA512

95b61ceb6c78788247b96dafb65bb6db38eecd560d5678228ac01d56df2850866b52c34113425599173157439a40788dcfc2914b189f5b8f75b8595ec2f5447a
SSDEEP

6144:YdiYf2jT1+aE+YlFiWFAkOCOu0EajNVBZr6y2WXxLO1UqWk2kkkkK4kXkkkkkkkU:EiYf+TIIYlFiWVPh2kkkkK4kXkkkkkkt

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lndham32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggnedlao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbbhqn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leopnglc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddadpdmn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gijekg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnodaecc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdbhkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gknkpjfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iklgah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Indfca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gklnjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaefgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idbodn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jqlefl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djfcaohp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinmhkke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epcdqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmlneg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kqbkfkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lajagj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gijekg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hajpbckl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inomhbeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eplnpeol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpkchqdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjpijpdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjpijpdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpckjfgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfmcfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnhpoamf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdinljnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhdhon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjedffig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgjgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leopnglc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejflhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdkpma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdkpma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gilapgqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmdonkgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eangpgcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpjjac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjedffig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejdocm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejflhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkeaqi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijadbdoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eidbij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpdfnolo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjdjoane.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kndojobi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	de942c79ac2cb195bb0f33d0e3c43da0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haoimcgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdbhkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfnmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkcfid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhfedil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idieem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jqdoem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpqodfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnlgleef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igedlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmbno32.exe

Executes dropped EXE 64 IoCs

pid	Process
1404	Dpqodfij.exe
2688	Dhhfedil.exe
4616	Djfcaohp.exe
5092	Dmdonkgc.exe
4284	Dpckjfgg.exe
4864	Dfmcfp32.exe
4856	Dmglcj32.exe
3168	Ddadpdmn.exe
1676	Dinmhkke.exe
4820	Ddcqedkk.exe
3632	Eplnpeol.exe
3936	Eidbij32.exe
3120	Edjgfcec.exe
3932	Ejdocm32.exe
2836	Eangpgcl.exe
456	Ejflhm32.exe
3852	Emehdh32.exe
1136	Epcdqd32.exe
2792	Fgbfhmll.exe
1464	Fmlneg32.exe
3132	Fpjjac32.exe
1092	Fgdbnmji.exe
1844	Fmnkkg32.exe
3232	Fpmggb32.exe
3080	Fhdohp32.exe
4280	Fkbkdkpp.exe
1300	Falcae32.exe
4696	Fdkpma32.exe
1568	Gigheh32.exe
3516	Gaopfe32.exe
3884	Gpaqbbld.exe
4448	Ghhhcomg.exe
3892	Gijekg32.exe
640	Gaamlecg.exe
2200	Gdoihpbk.exe
4704	Ggnedlao.exe
2852	Gilapgqb.exe
1760	Gpfjma32.exe
556	Ghmbno32.exe
3784	Gklnjj32.exe
5036	Gnjjfegi.exe
224	Gaefgd32.exe
3136	Ghpocngo.exe
5088	Gknkpjfb.exe
3828	Gnlgleef.exe
4768	Gpkchqdj.exe
5084	Hhbkinel.exe
4204	Hnodaecc.exe
1308	Hajpbckl.exe
808	Hhdhon32.exe
3432	Hjedffig.exe
1648	Hammhcij.exe
864	Hpomcp32.exe
5080	Hhfedm32.exe
5012	Hkeaqi32.exe
2132	Haoimcgg.exe
4476	Hdmein32.exe
1532	Hjjnae32.exe
4272	Hpdfnolo.exe
3084	Hgnoki32.exe
4956	Hnhghcki.exe
3700	Idbodn32.exe
1880	Iklgah32.exe
4400	Iqipio32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hhfedm32.exe	Hpomcp32.exe
File created	C:\Windows\SysWOW64\Bkfpfg32.dll	Idieem32.exe
File created	C:\Windows\SysWOW64\Jqlefl32.exe	Jnmijq32.exe
File created	C:\Windows\SysWOW64\Lklcfhik.dll	Kdinljnk.exe
File created	C:\Windows\SysWOW64\Kkhpdcab.exe	Kqbkfkal.exe
File created	C:\Windows\SysWOW64\Edjgfcec.exe	Eidbij32.exe
File created	C:\Windows\SysWOW64\Nkiebg32.dll	Gaamlecg.exe
File created	C:\Windows\SysWOW64\Plcpgejf.dll	Hhbkinel.exe
File opened for modification	C:\Windows\SysWOW64\Kjmmepfj.exe	Kilpmh32.exe
File created	C:\Windows\SysWOW64\Inomhbeq.exe	Igedlh32.exe
File created	C:\Windows\SysWOW64\Ijfnmc32.exe	Idieem32.exe
File opened for modification	C:\Windows\SysWOW64\Indfca32.exe	Igjngh32.exe
File created	C:\Windows\SysWOW64\Kjmmepfj.exe	Kilpmh32.exe
File opened for modification	C:\Windows\SysWOW64\Lgcjdd32.exe	Lajagj32.exe
File created	C:\Windows\SysWOW64\Kkfkkmmp.dll	Fgdbnmji.exe
File opened for modification	C:\Windows\SysWOW64\Hhfedm32.exe	Hpomcp32.exe
File created	C:\Windows\SysWOW64\Fjjdgc32.dll	Iklgah32.exe
File created	C:\Windows\SysWOW64\Leopnglc.exe	Lndham32.exe
File created	C:\Windows\SysWOW64\Hnodaecc.exe	Hhbkinel.exe
File created	C:\Windows\SysWOW64\Ecjfni32.dll	Idbodn32.exe
File created	C:\Windows\SysWOW64\Fngbbg32.dll	Lgcjdd32.exe
File created	C:\Windows\SysWOW64\Fnknamej.dll	Jhijqj32.exe
File opened for modification	C:\Windows\SysWOW64\Kbmoen32.exe	Kkcfid32.exe
File created	C:\Windows\SysWOW64\Jgnboabc.dll	Fgbfhmll.exe
File created	C:\Windows\SysWOW64\Gpkchqdj.exe	Gnlgleef.exe
File created	C:\Windows\SysWOW64\Jnhpoamf.exe	Jgogbgei.exe
File opened for modification	C:\Windows\SysWOW64\Dmglcj32.exe	Dfmcfp32.exe
File created	C:\Windows\SysWOW64\Beaalgij.dll	Eplnpeol.exe
File created	C:\Windows\SysWOW64\Gijekg32.exe	Ghhhcomg.exe
File opened for modification	C:\Windows\SysWOW64\Hgnoki32.exe	Hpdfnolo.exe
File created	C:\Windows\SysWOW64\Mcpeiqdc.dll	Djfcaohp.exe
File created	C:\Windows\SysWOW64\Ejflhm32.exe	Eangpgcl.exe
File opened for modification	C:\Windows\SysWOW64\Fgdbnmji.exe	Fpjjac32.exe
File created	C:\Windows\SysWOW64\Nocckb32.dll	Ejdocm32.exe
File created	C:\Windows\SysWOW64\Fkbkdkpp.exe	Fhdohp32.exe
File opened for modification	C:\Windows\SysWOW64\Fkbkdkpp.exe	Fhdohp32.exe
File opened for modification	C:\Windows\SysWOW64\Gpfjma32.exe	Gilapgqb.exe
File opened for modification	C:\Windows\SysWOW64\Ghmbno32.exe	Gpfjma32.exe
File created	C:\Windows\SysWOW64\Djfcaohp.exe	Dhhfedil.exe
File opened for modification	C:\Windows\SysWOW64\Djfcaohp.exe	Dhhfedil.exe
File created	C:\Windows\SysWOW64\Eejlephc.dll	Dmglcj32.exe
File created	C:\Windows\SysWOW64\Jdigjdia.dll	Kilpmh32.exe
File opened for modification	C:\Windows\SysWOW64\Hhdhon32.exe	Hajpbckl.exe
File created	C:\Windows\SysWOW64\Ghmpjalb.dll	Hpomcp32.exe
File created	C:\Windows\SysWOW64\Iqpfjnba.exe	Ijfnmc32.exe
File created	C:\Windows\SysWOW64\Hpdfnolo.exe	Hjjnae32.exe
File created	C:\Windows\SysWOW64\Knghil32.dll	Ddcqedkk.exe
File opened for modification	C:\Windows\SysWOW64\Fpmggb32.exe	Fmnkkg32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjnae32.exe	Hdmein32.exe
File created	C:\Windows\SysWOW64\Haoimcgg.exe	Hkeaqi32.exe
File opened for modification	C:\Windows\SysWOW64\Jhijqj32.exe	Indfca32.exe
File created	C:\Windows\SysWOW64\Kbmoen32.exe	Kkcfid32.exe
File created	C:\Windows\SysWOW64\Haplhc32.dll	Kkhpdcab.exe
File opened for modification	C:\Windows\SysWOW64\Gaopfe32.exe	Gigheh32.exe
File created	C:\Windows\SysWOW64\Hncfnebg.dll	Gdoihpbk.exe
File created	C:\Windows\SysWOW64\Mibime32.dll	Gnlgleef.exe
File created	C:\Windows\SysWOW64\Hnhghcki.exe	Hgnoki32.exe
File created	C:\Windows\SysWOW64\Iqklon32.exe	Ijadbdoj.exe
File opened for modification	C:\Windows\SysWOW64\Jgenbfoa.exe	Jqlefl32.exe
File opened for modification	C:\Windows\SysWOW64\Gpaqbbld.exe	Gaopfe32.exe
File created	C:\Windows\SysWOW64\Migidc32.dll	Gklnjj32.exe
File created	C:\Windows\SysWOW64\Jcemmf32.dll	Gknkpjfb.exe
File created	C:\Windows\SysWOW64\Jedohked.dll	Hammhcij.exe
File created	C:\Windows\SysWOW64\Jjdjoane.exe	Jgenbfoa.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eidbij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gilapgqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghmbno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjmmepfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcqedkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqlefl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaefgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjedffig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjjnae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iqipio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbmoen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgcjdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jklphekp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mngegmbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eangpgcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhbkinel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iqklon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgogbgei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmglcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eplnpeol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epcdqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghhhcomg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijfnmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igjngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgnoki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inomhbeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdinljnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejdocm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Falcae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdoihpbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajagj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqiipljg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igedlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbbhqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djfcaohp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmdonkgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejflhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdkpma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gijekg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnodaecc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfmcfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpkchqdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hammhcij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjjghcfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjdjoane.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emehdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpmggb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaopfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjpijpdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de942c79ac2cb195bb0f33d0e3c43da0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnjjfegi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Indfca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhijqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgjgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idieem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqbkfkal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpqodfij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkeaqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbddfmgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lndham32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmnkkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhdohp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaamlecg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Haoimcgg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jklphekp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpfjma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbalagn.dll"	Iqipio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnknamej.dll"	Jhijqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpdfnolo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjjghcfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jqiipljg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapmipen.dll"	Jnmijq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfmcfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emehdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhdhon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnlgleef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hglppijc.dll"	Inomhbeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Injdmnab.dll"	Jqiipljg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkcfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occomh32.dll"	Eidbij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefekh32.dll"	Fhdohp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gknkpjfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnhghcki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meickkqm.dll"	Ijadbdoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpfjma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfgjhf32.dll"	Ghmbno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpkchqdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpofmcef.dll"	Dhhfedil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejflhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inomhbeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcnob32.dll"	Lndham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lndham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdepb32.dll"	Fdkpma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnhpoamf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkeaqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekojppef.dll"	Hnhghcki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdigjdia.dll"	Kilpmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjmmepfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dinmhkke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Falcae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Henjapmn.dll"	Gilapgqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkcfid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kqbkfkal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghpocngo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hammhcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijadbdoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggnedlao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaefgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgnoki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gilapgqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamojc32.dll"	Igedlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jqlefl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eplnpeol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpmggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gigheh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facdchai.dll"	Hdmein32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jldajape.dll"	Jgcamf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkhpdcab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkpcjeml.dll"	Dpqodfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfkkmmp.dll"	Fgdbnmji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpaqbbld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gklnjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kopapk32.dll"	Gaefgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnodaecc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnmijq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kicpplqn.dll"	Fpjjac32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 1404	4052	de942c79ac2cb195bb0f33d0e3c43da0N.exe	83
PID 4052 wrote to memory of 1404	4052	de942c79ac2cb195bb0f33d0e3c43da0N.exe	83
PID 4052 wrote to memory of 1404	4052	de942c79ac2cb195bb0f33d0e3c43da0N.exe	83
PID 1404 wrote to memory of 2688	1404	Dpqodfij.exe	84
PID 1404 wrote to memory of 2688	1404	Dpqodfij.exe	84
PID 1404 wrote to memory of 2688	1404	Dpqodfij.exe	84
PID 2688 wrote to memory of 4616	2688	Dhhfedil.exe	85
PID 2688 wrote to memory of 4616	2688	Dhhfedil.exe	85
PID 2688 wrote to memory of 4616	2688	Dhhfedil.exe	85
PID 4616 wrote to memory of 5092	4616	Djfcaohp.exe	86
PID 4616 wrote to memory of 5092	4616	Djfcaohp.exe	86
PID 4616 wrote to memory of 5092	4616	Djfcaohp.exe	86
PID 5092 wrote to memory of 4284	5092	Dmdonkgc.exe	87
PID 5092 wrote to memory of 4284	5092	Dmdonkgc.exe	87
PID 5092 wrote to memory of 4284	5092	Dmdonkgc.exe	87
PID 4284 wrote to memory of 4864	4284	Dpckjfgg.exe	88
PID 4284 wrote to memory of 4864	4284	Dpckjfgg.exe	88
PID 4284 wrote to memory of 4864	4284	Dpckjfgg.exe	88
PID 4864 wrote to memory of 4856	4864	Dfmcfp32.exe	89
PID 4864 wrote to memory of 4856	4864	Dfmcfp32.exe	89
PID 4864 wrote to memory of 4856	4864	Dfmcfp32.exe	89
PID 4856 wrote to memory of 3168	4856	Dmglcj32.exe	90
PID 4856 wrote to memory of 3168	4856	Dmglcj32.exe	90
PID 4856 wrote to memory of 3168	4856	Dmglcj32.exe	90
PID 3168 wrote to memory of 1676	3168	Ddadpdmn.exe	91
PID 3168 wrote to memory of 1676	3168	Ddadpdmn.exe	91
PID 3168 wrote to memory of 1676	3168	Ddadpdmn.exe	91
PID 1676 wrote to memory of 4820	1676	Dinmhkke.exe	92
PID 1676 wrote to memory of 4820	1676	Dinmhkke.exe	92
PID 1676 wrote to memory of 4820	1676	Dinmhkke.exe	92
PID 4820 wrote to memory of 3632	4820	Ddcqedkk.exe	94
PID 4820 wrote to memory of 3632	4820	Ddcqedkk.exe	94
PID 4820 wrote to memory of 3632	4820	Ddcqedkk.exe	94
PID 3632 wrote to memory of 3936	3632	Eplnpeol.exe	95
PID 3632 wrote to memory of 3936	3632	Eplnpeol.exe	95
PID 3632 wrote to memory of 3936	3632	Eplnpeol.exe	95
PID 3936 wrote to memory of 3120	3936	Eidbij32.exe	96
PID 3936 wrote to memory of 3120	3936	Eidbij32.exe	96
PID 3936 wrote to memory of 3120	3936	Eidbij32.exe	96
PID 3120 wrote to memory of 3932	3120	Edjgfcec.exe	97
PID 3120 wrote to memory of 3932	3120	Edjgfcec.exe	97
PID 3120 wrote to memory of 3932	3120	Edjgfcec.exe	97
PID 3932 wrote to memory of 2836	3932	Ejdocm32.exe	98
PID 3932 wrote to memory of 2836	3932	Ejdocm32.exe	98
PID 3932 wrote to memory of 2836	3932	Ejdocm32.exe	98
PID 2836 wrote to memory of 456	2836	Eangpgcl.exe	99
PID 2836 wrote to memory of 456	2836	Eangpgcl.exe	99
PID 2836 wrote to memory of 456	2836	Eangpgcl.exe	99
PID 456 wrote to memory of 3852	456	Ejflhm32.exe	100
PID 456 wrote to memory of 3852	456	Ejflhm32.exe	100
PID 456 wrote to memory of 3852	456	Ejflhm32.exe	100
PID 3852 wrote to memory of 1136	3852	Emehdh32.exe	101
PID 3852 wrote to memory of 1136	3852	Emehdh32.exe	101
PID 3852 wrote to memory of 1136	3852	Emehdh32.exe	101
PID 1136 wrote to memory of 2792	1136	Epcdqd32.exe	102
PID 1136 wrote to memory of 2792	1136	Epcdqd32.exe	102
PID 1136 wrote to memory of 2792	1136	Epcdqd32.exe	102
PID 2792 wrote to memory of 1464	2792	Fgbfhmll.exe	103
PID 2792 wrote to memory of 1464	2792	Fgbfhmll.exe	103
PID 2792 wrote to memory of 1464	2792	Fgbfhmll.exe	103
PID 1464 wrote to memory of 3132	1464	Fmlneg32.exe	104
PID 1464 wrote to memory of 3132	1464	Fmlneg32.exe	104
PID 1464 wrote to memory of 3132	1464	Fmlneg32.exe	104
PID 3132 wrote to memory of 1092	3132	Fpjjac32.exe	105

C:\Users\Admin\AppData\Local\Temp\de942c79ac2cb195bb0f33d0e3c43da0N.exe
"C:\Users\Admin\AppData\Local\Temp\de942c79ac2cb195bb0f33d0e3c43da0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\SysWOW64\Dpqodfij.exe
  C:\Windows\system32\Dpqodfij.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\Dhhfedil.exe
    C:\Windows\system32\Dhhfedil.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\Djfcaohp.exe
      C:\Windows\system32\Djfcaohp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4616
    - - C:\Windows\SysWOW64\Dmdonkgc.exe
        
        C:\Windows\system32\Dmdonkgc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5092
      - C:\Windows\SysWOW64\Dpckjfgg.exe
        
        C:\Windows\system32\Dpckjfgg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Dfmcfp32.exe
        
        C:\Windows\system32\Dfmcfp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Dmglcj32.exe
        
        C:\Windows\system32\Dmglcj32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Ddadpdmn.exe
        
        C:\Windows\system32\Ddadpdmn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Dinmhkke.exe
        
        C:\Windows\system32\Dinmhkke.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Ddcqedkk.exe
        
        C:\Windows\system32\Ddcqedkk.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Eplnpeol.exe
        
        C:\Windows\system32\Eplnpeol.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Eidbij32.exe
        
        C:\Windows\system32\Eidbij32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Edjgfcec.exe
        
        C:\Windows\system32\Edjgfcec.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Ejdocm32.exe
        
        C:\Windows\system32\Ejdocm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Eangpgcl.exe
        
        C:\Windows\system32\Eangpgcl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Ejflhm32.exe
        
        C:\Windows\system32\Ejflhm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Emehdh32.exe
        
        C:\Windows\system32\Emehdh32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Epcdqd32.exe
        
        C:\Windows\system32\Epcdqd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Fgbfhmll.exe
        
        C:\Windows\system32\Fgbfhmll.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Fmlneg32.exe
        
        C:\Windows\system32\Fmlneg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Fpjjac32.exe
        
        C:\Windows\system32\Fpjjac32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Fgdbnmji.exe
        
        C:\Windows\system32\Fgdbnmji.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Fmnkkg32.exe
        
        C:\Windows\system32\Fmnkkg32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\Fpmggb32.exe
        
        C:\Windows\system32\Fpmggb32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Fhdohp32.exe
        
        C:\Windows\system32\Fhdohp32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Fkbkdkpp.exe
        
        C:\Windows\system32\Fkbkdkpp.exe
        27⤵
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\Falcae32.exe
        
        C:\Windows\system32\Falcae32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Fdkpma32.exe
        
        C:\Windows\system32\Fdkpma32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Gigheh32.exe
        
        C:\Windows\system32\Gigheh32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Gaopfe32.exe
        
        C:\Windows\system32\Gaopfe32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Gpaqbbld.exe
        
        C:\Windows\system32\Gpaqbbld.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Ghhhcomg.exe
        
        C:\Windows\system32\Ghhhcomg.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\Gijekg32.exe
        
        C:\Windows\system32\Gijekg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Gaamlecg.exe
        
        C:\Windows\system32\Gaamlecg.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\Gdoihpbk.exe
        
        C:\Windows\system32\Gdoihpbk.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Ggnedlao.exe
        
        C:\Windows\system32\Ggnedlao.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Gilapgqb.exe
        
        C:\Windows\system32\Gilapgqb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Gpfjma32.exe
        
        C:\Windows\system32\Gpfjma32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Ghmbno32.exe
        
        C:\Windows\system32\Ghmbno32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Gklnjj32.exe
        
        C:\Windows\system32\Gklnjj32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Gnjjfegi.exe
        
        C:\Windows\system32\Gnjjfegi.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Gaefgd32.exe
        
        C:\Windows\system32\Gaefgd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Ghpocngo.exe
        
        C:\Windows\system32\Ghpocngo.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Gknkpjfb.exe
        
        C:\Windows\system32\Gknkpjfb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Gnlgleef.exe
        
        C:\Windows\system32\Gnlgleef.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Gpkchqdj.exe
        
        C:\Windows\system32\Gpkchqdj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Hhbkinel.exe
        
        C:\Windows\system32\Hhbkinel.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Hnodaecc.exe
        
        C:\Windows\system32\Hnodaecc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Hajpbckl.exe
        
        C:\Windows\system32\Hajpbckl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1308
        
        C:\Windows\SysWOW64\Hhdhon32.exe
        
        C:\Windows\system32\Hhdhon32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Hjedffig.exe
        
        C:\Windows\system32\Hjedffig.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\SysWOW64\Hammhcij.exe
        
        C:\Windows\system32\Hammhcij.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Hpomcp32.exe
        
        C:\Windows\system32\Hpomcp32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\Hhfedm32.exe
        
        C:\Windows\system32\Hhfedm32.exe
        55⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Hkeaqi32.exe
        
        C:\Windows\system32\Hkeaqi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Haoimcgg.exe
        
        C:\Windows\system32\Haoimcgg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Hdmein32.exe
        
        C:\Windows\system32\Hdmein32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Hjjnae32.exe
        
        C:\Windows\system32\Hjjnae32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\Hpdfnolo.exe
        
        C:\Windows\system32\Hpdfnolo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Hgnoki32.exe
        
        C:\Windows\system32\Hgnoki32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Hnhghcki.exe
        
        C:\Windows\system32\Hnhghcki.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Idbodn32.exe
        
        C:\Windows\system32\Idbodn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Iklgah32.exe
        
        C:\Windows\system32\Iklgah32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\Iqipio32.exe
        
        C:\Windows\system32\Iqipio32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Ijadbdoj.exe
        
        C:\Windows\system32\Ijadbdoj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Iqklon32.exe
        
        C:\Windows\system32\Iqklon32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\Igedlh32.exe
        
        C:\Windows\system32\Igedlh32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Inomhbeq.exe
        
        C:\Windows\system32\Inomhbeq.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Idieem32.exe
        
        C:\Windows\system32\Idieem32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\Ijfnmc32.exe
        
        C:\Windows\system32\Ijfnmc32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Iqpfjnba.exe
        
        C:\Windows\system32\Iqpfjnba.exe
        72⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\Igjngh32.exe
        
        C:\Windows\system32\Igjngh32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\Indfca32.exe
        
        C:\Windows\system32\Indfca32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Jhijqj32.exe
        
        C:\Windows\system32\Jhijqj32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Jjjghcfp.exe
        
        C:\Windows\system32\Jjjghcfp.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Jqdoem32.exe
        
        C:\Windows\system32\Jqdoem32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2324
        
        C:\Windows\SysWOW64\Jgogbgei.exe
        
        C:\Windows\system32\Jgogbgei.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\Jnhpoamf.exe
        
        C:\Windows\system32\Jnhpoamf.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Jdbhkk32.exe
        
        C:\Windows\system32\Jdbhkk32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1756
        
        C:\Windows\SysWOW64\Jklphekp.exe
        
        C:\Windows\system32\Jklphekp.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Jqiipljg.exe
        
        C:\Windows\system32\Jqiipljg.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Jgcamf32.exe
        
        C:\Windows\system32\Jgcamf32.exe
        83⤵
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Jnmijq32.exe
        
        C:\Windows\system32\Jnmijq32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Jqlefl32.exe
        
        C:\Windows\system32\Jqlefl32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Jgenbfoa.exe
        
        C:\Windows\system32\Jgenbfoa.exe
        86⤵
        Drops file in System32 directory
        
        PID:1188
        
        C:\Windows\SysWOW64\Jjdjoane.exe
        
        C:\Windows\system32\Jjdjoane.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\Kdinljnk.exe
        
        C:\Windows\system32\Kdinljnk.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Kkcfid32.exe
        
        C:\Windows\system32\Kkcfid32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Kbmoen32.exe
        
        C:\Windows\system32\Kbmoen32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Kgjgne32.exe
        
        C:\Windows\system32\Kgjgne32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Kndojobi.exe
        
        C:\Windows\system32\Kndojobi.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2672
        
        C:\Windows\SysWOW64\Kqbkfkal.exe
        
        C:\Windows\system32\Kqbkfkal.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Kkhpdcab.exe
        
        C:\Windows\system32\Kkhpdcab.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Kbbhqn32.exe
        
        C:\Windows\system32\Kbbhqn32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\Kilpmh32.exe
        
        C:\Windows\system32\Kilpmh32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Kjmmepfj.exe
        
        C:\Windows\system32\Kjmmepfj.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Kbddfmgl.exe
        
        C:\Windows\system32\Kbddfmgl.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Kinmcg32.exe
        
        C:\Windows\system32\Kinmcg32.exe
        99⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\Kjpijpdg.exe
        
        C:\Windows\system32\Kjpijpdg.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Lajagj32.exe
        
        C:\Windows\system32\Lajagj32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\Lgcjdd32.exe
        
        C:\Windows\system32\Lgcjdd32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\Lndham32.exe
        
        C:\Windows\system32\Lndham32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Leopnglc.exe
        
        C:\Windows\system32\Leopnglc.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3940
        
        C:\Windows\SysWOW64\Llhikacp.exe
        
        C:\Windows\system32\Llhikacp.exe
        105⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\Mngegmbc.exe
        
        C:\Windows\system32\Mngegmbc.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:2504

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddadpdmn.exe

Filesize
384KB

MD5
ffe5ec884471ae0f3fb324ec162d1c42

SHA1
78bf9d76351818d19e523f5e1f20413e3f9bc58b

SHA256
4b998b335def7c9bf5c89422a8b7bfffc003d6fc67bafa996fbc336cb2c2bff2

SHA512
b9c0420833e7c9ad78a0f5a41df6f2ab46257bccca75a7da05b2512df372c1887d935f1846dd018ba4eab83d7a9879b12061f4bd1d02e258fdc51b236f46a608

Download Submit
C:\Windows\SysWOW64\Ddcqedkk.exe

Filesize
384KB

MD5
99acbaca882499bc1e0c6f5b8852d804

SHA1
511260d2ad352cbdc0d098c1eb798fb34944aef8

SHA256
fcedb0ea18f4bc1c1cc1d59679d187ef96969e539cc65144986b6226700a9d54

SHA512
15335a6acc8652da883f4f47a3a2de76712a4c61b1057bfcdcf082b641e098f352dce802b56f6e4a01abe405d5e4c9f3bae807498084941b0c81792d7a4900ee

Download Submit
C:\Windows\SysWOW64\Dfmcfp32.exe

Filesize
384KB

MD5
91f098cf5d48b7afab3cfa419f5da5dc

SHA1
305a43701ee53e2378cc414a3ef73ed6423e1304

SHA256
25f678a497e1c1eb8d9cb6a43d9b7f88e47d0183101c80695af2cf7475c93e3d

SHA512
b49c5ea08ab09a28a5096107567b7c9e922917bd444b668d953fa9e6b31dc6d251551c0a20e53ce252348d35698c99ff2ff40861ddeece992d13be8af4281a92

Download Submit
C:\Windows\SysWOW64\Dhhfedil.exe

Filesize
384KB

MD5
2e8cc08f9a3986de5631d9b31d4e323b

SHA1
16b85ac50bf2e459b4a0d4b39e3e8cdfd911a3f0

SHA256
d86968edac4119a576318948faa96381e44b60b04b28cf05ff73759c664da463

SHA512
ba79bb53ab16173e793099b111b3705d8739842a218adaa798f553bda3ee4fbb241824e25d91725512fb5581754e5019e6c42ff7f056aaa956898ecedd5a7dc3

Download Submit
C:\Windows\SysWOW64\Dinmhkke.exe

Filesize
384KB

MD5
bba21c19f26720c55d8264b73f5a347b

SHA1
6a674c5a14be00ee5618dddaf63a2f8d356816d0

SHA256
00e839a77e96d7e6d39db9740baa13c8c94238278a030cd659117ae9668feab5

SHA512
66b64002e63e6febe4c77580f71efafc94d0b7c88be965322b02a219ba961aee9229e065da74e5c91ff05855ff21922078c70a014f3006f8fea83e4ca1ecb5dd

Download Submit
C:\Windows\SysWOW64\Djfcaohp.exe

Filesize
384KB

MD5
d3afd90d617c4087d07d0d81233c604e

SHA1
f2bb6e241d063e7fc7308d5ec9417148540a92c1

SHA256
addf74512d3826d2d83f4730f7ed8fb9325c8e7d41832ed3e35dea69feda4025

SHA512
d2d1ebc58e0cd0488bb6a496c4ef64042f6f1b1b51a882c24984b891360914c9a171607f1343e810fc77a6b4300c8e0c06a556dc0f4cc993eb00005e3731993c

Download Submit
C:\Windows\SysWOW64\Dmdonkgc.exe

Filesize
384KB

MD5
03379e518a4f3214b68a9649088ec8c2

SHA1
2adbb9d0e892fdd582124e580a9697f499936c94

SHA256
3b0f953ba41aa860c52c80c5f439e6770fb88d519113677262a84094095e70c2

SHA512
511df53ed4e11618e53eb3064c864d5e2bc36b9a19d741419249a70ba66dd35681359597dd21a959e3b2acc5448d385988cf9bdf25659410e229e36e97a81df0

Download Submit
C:\Windows\SysWOW64\Dmglcj32.exe

Filesize
384KB

MD5
94b11fa91f5607283a3db4a8e72d23ef

SHA1
f17e99b52925b9157d3ff5b7094e040d429db408

SHA256
86c77f62fbe637d30fa2f94880966808ffc650adc57d94b9d677db0657ad7592

SHA512
581879719c76d5fd26f881357c590207a0304793405c86ab3ebf8c61eda3b38f8b5c6bfe93267396004f910fa3ef35535eca522e3db5a3ebf77d16abbaf60422

Download Submit
C:\Windows\SysWOW64\Dpckjfgg.exe

Filesize
384KB

MD5
972a14cd7d0a01baf6877771d1bdd8f1

SHA1
ff4313785ecf03581427b742c95a4dceacd3692d

SHA256
9cb0d2a812202bd510c269dee3fb02d0cc2ea9cd1e216d37e5050740a1b8645a

SHA512
754c383de54473549ede11f11fd9d51aaa6201979173fd20b2a7d03a91d0ba3e8e4590e15ef8e81c2f7eead9bc4d5beb45654a2000847615f176e2b49f5f106f

Download Submit
C:\Windows\SysWOW64\Dpqodfij.exe

Filesize
384KB

MD5
6a0d076007262024b5eceefbf2ec2b46

SHA1
3313a977c2d8b6696e48efa774b29b85c4d7873e

SHA256
ae2428d8c58fcf899893212fbf7f78a86af3a288309c886a66b635da5cac4129

SHA512
623ed9124ba1531c45077ad7bc475d87c21bfff55444269d3fd374b1d47d712ba8f8c49999707bd9f2d1fb5c909e7102b71869d4987e4322c0b9926c9a9f20d7

Download Submit
C:\Windows\SysWOW64\Eangpgcl.exe

Filesize
384KB

MD5
3c0f6327db0f4a99ddba126c9cfe2c80

SHA1
6b53a5db14919de5dada409e9d993ad78aab6898

SHA256
d24c2e13b662707de58cd4e671e6b980dbefd9046fca918486bf9d595841d583

SHA512
acd0d57e8b4fe947ad9272e8cb0a57a0361079b60ce3fad051098d21aa06af9baa8bcd71b5325f2bf260ca674a51579184d79d916b639ac8b76bcf91de592381

Download Submit
C:\Windows\SysWOW64\Edjgfcec.exe

Filesize
384KB

MD5
ea6ac23e98014972b3f55bde54458371

SHA1
e3fc8f023bd1f441e57ac1f26aa612ec97afdd58

SHA256
9d085f9df2d676214e9e93e0dae364a5d8a4d14034687b677abb2a254e7a9c75

SHA512
603820fc0e9a7fba335db8fe917eb75c4e9f02af73bc3ba5c534965bd1c160bb182690b24a0076d65a8756fb8e449e97f54518447c326b9a3d1cc7dd048a7f35

Download Submit
C:\Windows\SysWOW64\Eidbij32.exe

Filesize
384KB

MD5
cc85ccf7ab3de8a511078cfbd8ab4537

SHA1
7b10b9806f1a679fe36432d5d72449f2a813a693

SHA256
d5852197c78479b1b25ec8935ff5bf1456ff4eac712814a6f6f7045483e619a1

SHA512
1331dab020bf3e8e998edb2e785c2667670287f0397ab4bf7e031868b117ff0288acb403c3500563ef6257faae3bd0cfbbcc7596e34823e53de2d831d548b0da

Download Submit
C:\Windows\SysWOW64\Ejdocm32.exe

Filesize
384KB

MD5
70ba95363cb05683ede108a5e9acd518

SHA1
4b0c7cd4ef6b7547689de9bc3f630e9a45ecadbc

SHA256
1d3c05f9cd47d29b3e05e2a3ecd3c51478b32cd721f70219a7de541a629d1f49

SHA512
f5e7fca2683d932d59f2d40637456fc4416869755d0cff99922fdb73df3e6fa0b4f85654b52036097109248ffcbbb0ab435a9967198a7944a92a1a30d107c7a2

Download Submit
C:\Windows\SysWOW64\Ejflhm32.exe

Filesize
384KB

MD5
17da507ca276591d964825c967d1cc38

SHA1
0ab5e41ac7f239a6e5dc3009dccee53d05b359e5

SHA256
c4e5ee9d09272b935c4b3c77adf678ea3659dd18fdc0d943567aea33157107e0

SHA512
3303e36cbcf06cad8d31f1a4debba882c3d57ec74553e8cf656aa740bae6e079894aebdb8792bdd36e184d7bb82cdf963bb8f2b0de8fd9d84c4cf91ae8bb8702

Download Submit
C:\Windows\SysWOW64\Emehdh32.exe

Filesize
384KB

MD5
332ff5957736171ee49ad2f0d6137ac8

SHA1
0382f1791f5e193bf3df4b6c2dbaced925bf629f

SHA256
b97d06ecc4114e6cee1a264fc59dfaad1c56a6fd0b6372f5bcee30a6595f0921

SHA512
ebe43ead1afa05fb5fd05fe39270381fb9972a2c4fea05fd8891764db0609e6d9f5d84019b30109382271557a290e4fdf51c87cec0709212676ad0b66be108ec

Download Submit
C:\Windows\SysWOW64\Epcdqd32.exe

Filesize
384KB

MD5
bc0f3e107eaac65bb416c3af2b316de3

SHA1
e6755c97f43ad5628abd0f2231073e52614f3ebe

SHA256
b3069f74f6be86c5d071e19160717977459d91965d7fc659ae750f2572a5b60f

SHA512
f2e52335c0cb4c4052ae874898f748681c3e9c19e69ccf00368520a70d35bfa5a66ccb6a2bdb787a366314d7e6cd94a21b6c90165306d034a8fda6fbe11614c6

Download Submit
C:\Windows\SysWOW64\Eplnpeol.exe

Filesize
384KB

MD5
2d0245744cef0ec877d9ecaa71d1e530

SHA1
e254eb684857c26dbcd61aaea0a27b52f6c3c669

SHA256
9f173400366f00206f98758e9b821fdff5745bd6b93a74e02d33d41f38886970

SHA512
254edb142a698389ef5203eae7f77a76e438a7823aa86189df8a093f5100f23dcb72594d3c3dacb6a8517690a4fb2d59e86cad519f7262024b50b8570f03565b

Download Submit
C:\Windows\SysWOW64\Falcae32.exe

Filesize
384KB

MD5
8bcb645466f36938e9978b1c2271bb3f

SHA1
183b8fa14bd22ec17c7c9419fe98d03bee483e91

SHA256
fd28fa9a5f993c3764052d8ab506046ea2e353d46f47d0e9f44e942923c9b8b3

SHA512
69a08422ff7430ce78f501d8ea67cbe3da9d8c5cc9bd1549d98acc69ee80404d94e74507236394d3d6007f916742e421561b31706cc7ece4b52930e858fb89fc

Download Submit
C:\Windows\SysWOW64\Fdkpma32.exe

Filesize
384KB

MD5
54f89ca417d048d8b25e14eadc78ed1a

SHA1
1b6111115c3402a156fd68a035057700170bc6d6

SHA256
e8ab193f7252084d2fac51a2cf6cc1f97dcfb7e7fd61aab5f0c0682b0cbc9256

SHA512
18b1970f27127a4536bfea91416361d8c445b9aa017c5cee99de03395dfb375d3a7865f2890c25fc42d348b543d66a048d11dac9cce88f1f70cab4f97cd9ffd6

Download Submit
C:\Windows\SysWOW64\Fgbfhmll.exe

Filesize
384KB

MD5
13ccf8a653ef1f9f65fd9ddcd2682344

SHA1
3069a5039ddbf73de714ef0df90734932446c10e

SHA256
3ac944248ad5b5affefc0144bb3ca092f39c79a67676f133d22baf81e5e8d639

SHA512
5ec2caefa08634e7337f82b9221f7c14264fac901cb7f4c323d4fb5b61eab9d12afc287af4653f766dcfac4450b1065fafa151de5629dd96e65e7a5b8fdcd4e5

Download Submit
C:\Windows\SysWOW64\Fgdbnmji.exe

Filesize
384KB

MD5
bf35506a54c244fba0d5dd3393992f17

SHA1
889c5048c10e0b024e0643242337bdc53a10f2f0

SHA256
98f0b39dd9435bddffd00b4555989230d90d43087375254b4a2cc1d55a16ab74

SHA512
03e37b11ffbc919ed1c712c019df1dceb8fcbbf7dc96fda450e9ab8ed63f49b8b0b45ab8c41ae4ecf6f428b43199a28a3f2fa5405c83dceddac0bd7916a383d3

Download Submit
C:\Windows\SysWOW64\Fhdohp32.exe

Filesize
384KB

MD5
01b103d8932661985cd905ac90d640f1

SHA1
c73fea46f957630e7d04dba36021f450fc6eaccc

SHA256
2972af12b9fc9e11a895f72393d78f0d8dc9674eda19888db6caa5915551db48

SHA512
4e0704d3f40ac40eeb9d51783da83f842a38a32474cc6c1523a9f3c100fa01263313eba9161dbfb4ac5e8707ccc93178a46de53694343378a4d7f01735ba7d2e

Download Submit
C:\Windows\SysWOW64\Fkbkdkpp.exe

Filesize
384KB

MD5
d0c071c6dd37670e2f15f8175063570e

SHA1
3607525e268e21547263ee56438c12b925aec54a

SHA256
1cbe00ca424d11d8cdab337cd503e8e679a3c846bc5b9e9e0f6ef2341d99d9e0

SHA512
86a45c1a70b6658bd12344098e231b188277d0f06015afd77ddb7493f9103aa1c21b3e1e0777209b3294477d7dd9b09d5bda3b01fbf6d6efd1b92f00a9ec825b

Download Submit
C:\Windows\SysWOW64\Fmlneg32.exe

Filesize
384KB

MD5
780bc202e3a8d488a837730ea56a4628

SHA1
8d2e79ce786ef921101394ce6b6bdb8d8328766c

SHA256
f4788fa5ab341e43553d4eecb6ef007bc138ecf6312507e3d22d1efbf4b96bd0

SHA512
7ecaa5494e02d5bd191a25299a380fb9ea325057c127a8effd92efcd9c651948fa5a1e6a5b18c061eb30d44db13906e1a0cd7632d4a6f7f969918f230bc229f2

Download Submit
C:\Windows\SysWOW64\Fmnkkg32.exe

Filesize
384KB

MD5
2a620d4b2a138d703b342f031a9df0e5

SHA1
c855e4247ba5d6c10937847e86b42e3d510211e0

SHA256
6a0a89985e440d90b34d80af149f12221b18cdd2be583493e7b69d240f54ad4a

SHA512
3e8e5ff071fcfcf4c22a948935c5ec805172e99253a7f78bc347c5b2063ed07f32c13ad77e27a25bbbb41e42cb740cffe9a75a99572e2f759efb805efeca5cd4

Download Submit
C:\Windows\SysWOW64\Fpjjac32.exe

Filesize
384KB

MD5
75d6a64fd54cf17eccb97c24ff90dbd6

SHA1
31a578ef57d5a9bfd2d555e51b927436d036f000

SHA256
fc4cfeed1f4fbadb443a5091edee3c88a7e047d9265441405ac81de731fd096c

SHA512
7153dbfad71509eaca00e74253d64e8e588e70f6839906c08b21dd4d80697fda7ef9acf236266f35478cc1d3f2315d0b4e24052baccbf430e0c4ce7a73e7ea7a

Download Submit
C:\Windows\SysWOW64\Fpmggb32.exe

Filesize
384KB

MD5
3a386e00ced1e944a834389a70eb5544

SHA1
24a34360cfab526dbbb8ae2ceb6e641d4041d2d4

SHA256
e331307d01c979e57629b3ce95d217454da23b98b737f30e52afd26599063966

SHA512
bf28d0704dfa6331ea697ace154247b7cdd93f42298bd7bed9da35fae90d52f592d2303ae1228fd0b0b2d9b3a8b4b5a1bf6b5145fa04c7a443a1754852b0ccc9

Download Submit
C:\Windows\SysWOW64\Gaopfe32.exe

Filesize
384KB

MD5
70ddad04f6e2152fb0330c85c6a50001

SHA1
8abb2c92e316da79fd65ff0172b30ea4ebf314fc

SHA256
6492d3629d9477a5528499849dc634f52b8dea43110a6b58d0a63606e23b2161

SHA512
77cc46666660c65e532d77e2cd26dddb1f6b42b0d382e7b6e0e1bf5809626f322450249918d7b5b65094aa212fac48c21f96a7f37f8de65766d527cfaf14da07

Download Submit
C:\Windows\SysWOW64\Ghhhcomg.exe

Filesize
384KB

MD5
01192e84071fe08aa6ad0a6c0e0d25b4

SHA1
99cd49dbd57f905362808f6772ed0f929f72e812

SHA256
cd8efcb591f39afe155f632aca2c2c489ba4a5eb3556529a6dfc30b97b7fc14d

SHA512
f669ccd524c0f997ebf86e71a834877773da8bc57c91e10c3e18b4429a6d5aad4884958c9ef281c400743524a575afe3b5926cdb8b40a476f42795614445d7c6

Download Submit
C:\Windows\SysWOW64\Gigheh32.exe

Filesize
384KB

MD5
60d5b9314d3acaa600e94dea65a634d7

SHA1
9741dee0124b8307b947e3ef096a32addfff4192

SHA256
e6ed265656b58bc5ae45d1c47849be6888fc63971d98638ca1ffd0b8973f3572

SHA512
5e2e27fd3a2013e423c80ba7c980bf1386fd5745f1bce24db57a164b8b6772ee81713fc3ef4aff9e7a799ca70c220f248697eca60ab4c3afa8c341c9a1489378

Download Submit
C:\Windows\SysWOW64\Gpaqbbld.exe

Filesize
384KB

MD5
522d64f10f1c2f33caec6536c38bb4e2

SHA1
d7c844e323c8ea10629b5b8a7715865ddde777e6

SHA256
76eb70c5d7dffdf3ce0263f3c40555b078b187be4441e8e3629ace788c9ee42a

SHA512
13c625ed8627a9d159de88c5506fe5301f6fa88483b2d08d468878c28bf259c40acf75a25545a2185464510af95c0c2ca2da007634c40259f79528ec8b5f7c10

Download Submit
memory/224-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/456-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/556-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/640-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/644-514-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/808-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/840-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/864-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1092-182-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1136-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1188-586-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1300-222-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1308-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1404-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1404-557-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1464-166-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1532-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1568-238-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1580-603-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1624-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1648-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1676-78-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1756-545-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1760-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1828-558-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1844-190-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1880-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1948-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2076-477-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-401-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2200-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2212-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2236-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2324-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2688-563-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2688-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2792-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2836-126-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2852-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2928-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3044-513-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3080-206-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3084-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3120-110-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3132-174-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3136-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3168-70-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3232-198-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3244-592-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3396-532-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3432-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3516-246-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3572-604-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3632-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3648-519-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3672-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3700-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3784-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3828-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3852-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3884-254-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3892-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3932-118-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3936-102-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4052-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4052-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4052-543-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4204-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4272-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4280-214-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4284-585-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4284-41-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4328-576-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4400-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4448-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4456-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4476-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4496-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4576-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4616-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4616-571-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4692-538-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4696-230-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4704-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4768-345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4820-86-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4856-62-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4864-54-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4956-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5012-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5036-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5080-393-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5084-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5088-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5092-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5092-577-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads