d6bf39336d17236c46bf6121c6cbc0bc3cbc69f34161dc54d765af0b564139b7

Analysis

max time kernel
125s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6bf39336d17236c46bf6121c6cbc0bc3cbc69f34161dc54d765af0b564139b7.exe
Size

1.1MB
MD5

a44c6aa59d9f474bf264cffbc8d3c0d6
SHA1

2241584745f6d436a3c9951a46177271b4a129f2
SHA256

d6bf39336d17236c46bf6121c6cbc0bc3cbc69f34161dc54d765af0b564139b7
SHA512

2980e1d716a9dd88a3caf8fb14cfed361770ebac67bd99c81df76964c548f49b9a3b4c39609e082423940865e31f78d38eef3f02cdd6492bca9f6080dfc20f91
SSDEEP

12288:HSrQg5Z/+zrWAIAqWim/+zrWAI5KFukEyDucEQX:HSrQg5ZmvFimm0HkEyDucEQX

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaiqcnhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbfmgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieojgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihmfco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iimcma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lllagh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jocnlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klggli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkcpql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbcncibp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpjmph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckkfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ommceclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkkhbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpiqfima.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abfdpfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpapnfhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpgdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kofdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bphqji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jocnlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplmliko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdlfjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egkddo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibqnkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ephbhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnakk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpapnfhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpmhdmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ockdmmoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejojljqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ephbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kplmliko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqmhqapg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apnndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdocph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cienon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnamjhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhkbdmbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbnajqc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epdime32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeocna32.exe

Executes dropped EXE 64 IoCs

pid	Process
5032	Hpmhdmea.exe
1744	Hldiinke.exe
2512	Hbnaeh32.exe
1324	Hihibbjo.exe
2968	Ilfennic.exe
2084	Ibqnkh32.exe
2752	Ieojgc32.exe
4020	Ihmfco32.exe
2284	Iogopi32.exe
2660	Ibcjqgnm.exe
1416	Iimcma32.exe
1296	Ilkoim32.exe
4548	Ibegfglj.exe
64	Ieccbbkn.exe
1644	Ilnlom32.exe
4728	Iolhkh32.exe
3996	Iefphb32.exe
1624	Ihdldn32.exe
1676	Iondqhpl.exe
3620	Iamamcop.exe
4000	Jhgiim32.exe
1872	Jpnakk32.exe
4068	Jaonbc32.exe
3400	Jifecp32.exe
116	Jldbpl32.exe
4352	Jocnlg32.exe
4300	Jhkbdmbg.exe
3940	Jpbjfjci.exe
2676	Jbagbebm.exe
3648	Jeocna32.exe
3036	Jhnojl32.exe
216	Johggfha.exe
2476	Jeapcq32.exe
2776	Jhplpl32.exe
4928	Jpgdai32.exe
1748	Jbepme32.exe
4688	Kedlip32.exe
416	Khbiello.exe
4996	Kpiqfima.exe
3276	Kbhmbdle.exe
1396	Kefiopki.exe
5132	Kheekkjl.exe
5172	Kplmliko.exe
5212	Kamjda32.exe
5252	Kidben32.exe
5292	Klbnajqc.exe
5332	Koajmepf.exe
5372	Kapfiqoj.exe
5412	Khiofk32.exe
5452	Kocgbend.exe
5492	Kabcopmg.exe
5532	Kiikpnmj.exe
5580	Klggli32.exe
5612	Kofdhd32.exe
5652	Lepleocn.exe
5692	Lhnhajba.exe
5732	Lpepbgbd.exe
5772	Lcclncbh.exe
5812	Lindkm32.exe
5852	Lllagh32.exe
5892	Lcfidb32.exe
5932	Ledepn32.exe
5980	Lhcali32.exe
6012	Lpjjmg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fdflknog.dll	Mhjhmhhd.exe
File created	C:\Windows\SysWOW64\Ghnllm32.dll	Nhhdnf32.exe
File created	C:\Windows\SysWOW64\Gbhibfek.dll	Pbjddh32.exe
File created	C:\Windows\SysWOW64\Aimogakj.exe	Afockelf.exe
File opened for modification	C:\Windows\SysWOW64\Ckpamabg.exe	Bbhildae.exe
File created	C:\Windows\SysWOW64\Ljbnfleo.exe	Lchfib32.exe
File created	C:\Windows\SysWOW64\Noblkqca.exe	Nhhdnf32.exe
File created	C:\Windows\SysWOW64\Pjjfdfbb.exe	Pbcncibp.exe
File created	C:\Windows\SysWOW64\Polcjq32.dll	Ajmladbl.exe
File opened for modification	C:\Windows\SysWOW64\Ekngemhd.exe	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Gihfoi32.dll	Fnffhgon.exe
File created	C:\Windows\SysWOW64\Ibegfglj.exe	Ilkoim32.exe
File created	C:\Windows\SysWOW64\Nhoped32.dll	Pmhbqbae.exe
File opened for modification	C:\Windows\SysWOW64\Qppaclio.exe	Pmbegqjk.exe
File created	C:\Windows\SysWOW64\Aaiqcnhg.exe	Aibibp32.exe
File created	C:\Windows\SysWOW64\Apnndj32.exe	Aidehpea.exe
File created	C:\Windows\SysWOW64\Djegekil.exe	Ccppmc32.exe
File opened for modification	C:\Windows\SysWOW64\Ejojljqa.exe	Ecdbop32.exe
File created	C:\Windows\SysWOW64\Jocnlg32.exe	Jldbpl32.exe
File created	C:\Windows\SysWOW64\Jpgdai32.exe	Jhplpl32.exe
File created	C:\Windows\SysWOW64\Mneoha32.dll	Jhplpl32.exe
File created	C:\Windows\SysWOW64\Mlofcf32.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Ookoaokf.exe	Ommceclc.exe
File created	C:\Windows\SysWOW64\Cienon32.exe	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Bcejdp32.dll	Mlljnf32.exe
File opened for modification	C:\Windows\SysWOW64\Pfccogfc.exe	Ppikbm32.exe
File opened for modification	C:\Windows\SysWOW64\Aadghn32.exe	Aimogakj.exe
File created	C:\Windows\SysWOW64\Apmpkall.dll	Bigbmpco.exe
File created	C:\Windows\SysWOW64\Ccppmc32.exe	Cancekeo.exe
File opened for modification	C:\Windows\SysWOW64\Ilfennic.exe	Hihibbjo.exe
File created	C:\Windows\SysWOW64\Ncjakdno.dll	Klggli32.exe
File created	C:\Windows\SysWOW64\Elckbhbj.dll	Lhcali32.exe
File opened for modification	C:\Windows\SysWOW64\Nhegig32.exe	Nfgklkoc.exe
File opened for modification	C:\Windows\SysWOW64\Nbphglbe.exe	Noblkqca.exe
File created	C:\Windows\SysWOW64\Pafkgphl.exe	Pjlcjf32.exe
File created	C:\Windows\SysWOW64\Ejojljqa.exe	Ecdbop32.exe
File opened for modification	C:\Windows\SysWOW64\Iamamcop.exe	Iondqhpl.exe
File opened for modification	C:\Windows\SysWOW64\Johggfha.exe	Jhnojl32.exe
File created	C:\Windows\SysWOW64\Jgbfjmkq.dll	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Nqcejcha.exe	Nimmifgo.exe
File opened for modification	C:\Windows\SysWOW64\Ofgdcipq.exe	Ocihgnam.exe
File opened for modification	C:\Windows\SysWOW64\Oqmhqapg.exe	Oifppdpd.exe
File created	C:\Windows\SysWOW64\Apjfbb32.dll	Lchfib32.exe
File created	C:\Windows\SysWOW64\Klndfknp.dll	Nfnamjhk.exe
File created	C:\Windows\SysWOW64\Abjmkf32.exe	Adgmoigj.exe
File opened for modification	C:\Windows\SysWOW64\Biklho32.exe	Bfmolc32.exe
File created	C:\Windows\SysWOW64\Camgolnm.dll	Epdime32.exe
File created	C:\Windows\SysWOW64\Fqbeoc32.exe	Fncibg32.exe
File opened for modification	C:\Windows\SysWOW64\Ojhiogdd.exe	Obqanjdb.exe
File created	C:\Windows\SysWOW64\Leeigm32.dll	Qfmfefni.exe
File opened for modification	C:\Windows\SysWOW64\Cancekeo.exe	Cigkdmel.exe
File opened for modification	C:\Windows\SysWOW64\Ibcjqgnm.exe	Iogopi32.exe
File opened for modification	C:\Windows\SysWOW64\Ibegfglj.exe	Ilkoim32.exe
File opened for modification	C:\Windows\SysWOW64\Mcoljagj.exe	Mpapnfhg.exe
File created	C:\Windows\SysWOW64\Eknphfld.dll	Bfkbfd32.exe
File opened for modification	C:\Windows\SysWOW64\Lhnhajba.exe	Lepleocn.exe
File opened for modification	C:\Windows\SysWOW64\Pmhbqbae.exe	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Acqgojmb.exe	Aabkbono.exe
File created	C:\Windows\SysWOW64\Dilcjbag.dll	Bpedeiff.exe
File created	C:\Windows\SysWOW64\Eafbac32.dll	Cienon32.exe
File created	C:\Windows\SysWOW64\Dkedonpo.exe	Djegekil.exe
File created	C:\Windows\SysWOW64\Begndj32.dll	Fkemfl32.exe
File opened for modification	C:\Windows\SysWOW64\Klggli32.exe	Kiikpnmj.exe
File opened for modification	C:\Windows\SysWOW64\Mljmhflh.exe	Mjlalkmd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1232	5184	WerFault.exe	324

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofmobmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilkoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kabcopmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhcali32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pakdbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidehpea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmcgcmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khbiello.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klggli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmladbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejccgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcjqgnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieccbbkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khiofk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbphglbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppaclio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhnojl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefiopki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mljmhflh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjmkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hldiinke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooibkpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqmhqapg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmlla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qapnmopa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqgojmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedlip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodiqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omfekbdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbgeqmjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibegfglj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ephbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egegjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecdbop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllagh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Momcpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njgqhicg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdlfjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkkhbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkmeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calfpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jldbpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbcncibp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejjaqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqcejcha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbafoge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iefphb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeapcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbekii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Famhmfkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkemfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhegig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfnamjhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockdmmoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkondfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhplpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbnajqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlljnf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjkejin.dll"	Jhnojl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llcghg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpepbgbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Banjnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benibond.dll"	Jpgdai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjpjgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhkbdmbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcejdp32.dll"	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppgomnai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllinoed.dll"	Ejojljqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklliiom.dll"	Ibegfglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibegfglj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhoped32.dll"	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	d6bf39336d17236c46bf6121c6cbc0bc3cbc69f34161dc54d765af0b564139b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcfidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllhjc32.dll"	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmbegqjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aibibp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adgmoigj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koajmepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgogbi32.dll"	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camgolnm.dll"	Epdime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iondqhpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfmfefni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfqnbjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldjigql.dll"	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jldbpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Johggfha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbgeqmjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpbjfjci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfkgknc.dll"	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khnhommq.dll"	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlhqcgnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klbnajqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadeee32.dll"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaonbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kamjda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibegfglj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iondqhpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npakijcp.dll"	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mohidbkl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 5032	4284	d6bf39336d17236c46bf6121c6cbc0bc3cbc69f34161dc54d765af0b564139b7.exe	90
PID 4284 wrote to memory of 5032	4284	d6bf39336d17236c46bf6121c6cbc0bc3cbc69f34161dc54d765af0b564139b7.exe	90
PID 4284 wrote to memory of 5032	4284	d6bf39336d17236c46bf6121c6cbc0bc3cbc69f34161dc54d765af0b564139b7.exe	90
PID 5032 wrote to memory of 1744	5032	Hpmhdmea.exe	91
PID 5032 wrote to memory of 1744	5032	Hpmhdmea.exe	91
PID 5032 wrote to memory of 1744	5032	Hpmhdmea.exe	91
PID 1744 wrote to memory of 2512	1744	Hldiinke.exe	92
PID 1744 wrote to memory of 2512	1744	Hldiinke.exe	92
PID 1744 wrote to memory of 2512	1744	Hldiinke.exe	92
PID 2512 wrote to memory of 1324	2512	Hbnaeh32.exe	93
PID 2512 wrote to memory of 1324	2512	Hbnaeh32.exe	93
PID 2512 wrote to memory of 1324	2512	Hbnaeh32.exe	93
PID 1324 wrote to memory of 2968	1324	Hihibbjo.exe	94
PID 1324 wrote to memory of 2968	1324	Hihibbjo.exe	94
PID 1324 wrote to memory of 2968	1324	Hihibbjo.exe	94
PID 2968 wrote to memory of 2084	2968	Ilfennic.exe	95
PID 2968 wrote to memory of 2084	2968	Ilfennic.exe	95
PID 2968 wrote to memory of 2084	2968	Ilfennic.exe	95
PID 2084 wrote to memory of 2752	2084	Ibqnkh32.exe	96
PID 2084 wrote to memory of 2752	2084	Ibqnkh32.exe	96
PID 2084 wrote to memory of 2752	2084	Ibqnkh32.exe	96
PID 2752 wrote to memory of 4020	2752	Ieojgc32.exe	97
PID 2752 wrote to memory of 4020	2752	Ieojgc32.exe	97
PID 2752 wrote to memory of 4020	2752	Ieojgc32.exe	97
PID 4020 wrote to memory of 2284	4020	Ihmfco32.exe	98
PID 4020 wrote to memory of 2284	4020	Ihmfco32.exe	98
PID 4020 wrote to memory of 2284	4020	Ihmfco32.exe	98
PID 2284 wrote to memory of 2660	2284	Iogopi32.exe	99
PID 2284 wrote to memory of 2660	2284	Iogopi32.exe	99
PID 2284 wrote to memory of 2660	2284	Iogopi32.exe	99
PID 2660 wrote to memory of 1416	2660	Ibcjqgnm.exe	100
PID 2660 wrote to memory of 1416	2660	Ibcjqgnm.exe	100
PID 2660 wrote to memory of 1416	2660	Ibcjqgnm.exe	100
PID 1416 wrote to memory of 1296	1416	Iimcma32.exe	101
PID 1416 wrote to memory of 1296	1416	Iimcma32.exe	101
PID 1416 wrote to memory of 1296	1416	Iimcma32.exe	101
PID 1296 wrote to memory of 4548	1296	Ilkoim32.exe	102
PID 1296 wrote to memory of 4548	1296	Ilkoim32.exe	102
PID 1296 wrote to memory of 4548	1296	Ilkoim32.exe	102
PID 4548 wrote to memory of 64	4548	Ibegfglj.exe	103
PID 4548 wrote to memory of 64	4548	Ibegfglj.exe	103
PID 4548 wrote to memory of 64	4548	Ibegfglj.exe	103
PID 64 wrote to memory of 1644	64	Ieccbbkn.exe	104
PID 64 wrote to memory of 1644	64	Ieccbbkn.exe	104
PID 64 wrote to memory of 1644	64	Ieccbbkn.exe	104
PID 1644 wrote to memory of 4728	1644	Ilnlom32.exe	105
PID 1644 wrote to memory of 4728	1644	Ilnlom32.exe	105
PID 1644 wrote to memory of 4728	1644	Ilnlom32.exe	105
PID 4728 wrote to memory of 3996	4728	Iolhkh32.exe	106
PID 4728 wrote to memory of 3996	4728	Iolhkh32.exe	106
PID 4728 wrote to memory of 3996	4728	Iolhkh32.exe	106
PID 3996 wrote to memory of 1624	3996	Iefphb32.exe	107
PID 3996 wrote to memory of 1624	3996	Iefphb32.exe	107
PID 3996 wrote to memory of 1624	3996	Iefphb32.exe	107
PID 1624 wrote to memory of 1676	1624	Ihdldn32.exe	108
PID 1624 wrote to memory of 1676	1624	Ihdldn32.exe	108
PID 1624 wrote to memory of 1676	1624	Ihdldn32.exe	108
PID 1676 wrote to memory of 3620	1676	Iondqhpl.exe	109
PID 1676 wrote to memory of 3620	1676	Iondqhpl.exe	109
PID 1676 wrote to memory of 3620	1676	Iondqhpl.exe	109
PID 3620 wrote to memory of 4000	3620	Iamamcop.exe	110
PID 3620 wrote to memory of 4000	3620	Iamamcop.exe	110
PID 3620 wrote to memory of 4000	3620	Iamamcop.exe	110
PID 4000 wrote to memory of 1872	4000	Jhgiim32.exe	111

C:\Users\Admin\AppData\Local\Temp\d6bf39336d17236c46bf6121c6cbc0bc3cbc69f34161dc54d765af0b564139b7.exe
"C:\Users\Admin\AppData\Local\Temp\d6bf39336d17236c46bf6121c6cbc0bc3cbc69f34161dc54d765af0b564139b7.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\SysWOW64\Hpmhdmea.exe
  C:\Windows\system32\Hpmhdmea.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\SysWOW64\Hldiinke.exe
    C:\Windows\system32\Hldiinke.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\Hbnaeh32.exe
      C:\Windows\system32\Hbnaeh32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Iolhkh32.exe
        
        C:\Windows\system32\Iolhkh32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1872
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        30⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:416
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        41⤵
        Executes dropped EXE
        
        PID:3276
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        43⤵
        Executes dropped EXE
        
        PID:5132
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5172
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        46⤵
        Executes dropped EXE
        
        PID:5252
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        49⤵
        Executes dropped EXE
        
        PID:5372
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        51⤵
        Executes dropped EXE
        
        PID:5452
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        57⤵
        Executes dropped EXE
        
        PID:5692
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        59⤵
        Executes dropped EXE
        
        PID:5772
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        60⤵
        Executes dropped EXE
        
        PID:5812
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        63⤵
        Executes dropped EXE
        
        PID:5932
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        65⤵
        Executes dropped EXE
        
        PID:6012
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        66⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        67⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        68⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        69⤵
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        70⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        71⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        72⤵
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        73⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        74⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        75⤵
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        77⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        78⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        82⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        84⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        86⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        88⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6276
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:6316
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        93⤵
        Drops file in System32 directory
        
        PID:6356
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:6396
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        95⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6476
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        97⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        98⤵
        Drops file in System32 directory
        
        PID:6556
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6596
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:6636
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6676
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        102⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:6756
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6796
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6836
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:6916
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        108⤵
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        109⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:7036
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        111⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        112⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7156
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        114⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        115⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        116⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        117⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        118⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        119⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        120⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        124⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        125⤵
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        127⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:6380
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        129⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6508
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        131⤵
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        133⤵
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:6768
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        135⤵
        Drops file in System32 directory
        
        PID:6832
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        136⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        137⤵
        Drops file in System32 directory
        
        PID:6964
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        138⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:7112
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        140⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        141⤵
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        142⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        144⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        145⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        148⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        149⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        151⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6564
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        153⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7244
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:7284
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7324
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        157⤵
        Drops file in System32 directory
        
        PID:7364
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        158⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7444
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        160⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7484
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        161⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        162⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        163⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7644
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7684
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7724
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:7764
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        168⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7804
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7844
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        170⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        171⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        172⤵
        Drops file in System32 directory
        
        PID:7964
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        173⤵
        Modifies registry class
        
        PID:8004
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:8044
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8084
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        176⤵
        Modifies registry class
        
        PID:8124
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        177⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6624
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        179⤵
        Drops file in System32 directory
        
        PID:6712
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        180⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        181⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        182⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7072
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        184⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5088
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1580
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        187⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        188⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        191⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        192⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        193⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        194⤵
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7312
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7376
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7432
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        198⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7480
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        199⤵
        Drops file in System32 directory
        
        PID:7532
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        200⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7592
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        201⤵
        Drops file in System32 directory
        
        PID:7720
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        202⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        203⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7936
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:8000
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:8056
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        207⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:8156
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        209⤵
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        210⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        211⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6884
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5956
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        213⤵
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Enlcahgh.exe
        
        C:\Windows\system32\Enlcahgh.exe
        214⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:3364
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7240
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        220⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        221⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        222⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        223⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        224⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        226⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7840
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:7960
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        228⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        229⤵
        System Location Discovery: System Language Discovery
        
        PID:6584
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        230⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        231⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5184 -s 412
        232⤵
        Program crash
        
        PID:1232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4292,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:8
1⤵
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5184 -ip 5184
1⤵
PID:5840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ejccgi32.exe

Filesize
1.1MB

MD5
b8f0b87c1f4306419d40ea19447cc67a

SHA1
fa9a35167e3b5af0168218bc84a1394aa9f84ab9

SHA256
471069342b769fdf231515a3deaaf68d055d0bdccb46c8d6f42730f03ea57877

SHA512
58540b0eeb7c293407fd123ad45fb130d5760ca128fc764b6369745968e01ae840e4a50d89859de60f410601b47d4123d410363eb1f77503816f1f698b2ca6cd

Download Submit
C:\Windows\SysWOW64\Ejojljqa.exe

Filesize
1.1MB

MD5
a29b8f2fc8a302e3715f889406583fa4

SHA1
529cb1c32407e9fdb54b78e2b7f4e8b5fe85c4ee

SHA256
f522d8b2eef7d63a6426af5f5f69849c5dea583322165c5b7126628ac68591ae

SHA512
a55a1195bed59713cfea71ee64cf978434b0f72b3db64f7ea4792bba112db4940dff74e75dbd58ffabac9ba38776411dea7365049f3c68d23af5e760bbd23298

Download Submit
C:\Windows\SysWOW64\Fcekfnkb.exe

Filesize
1.1MB

MD5
8e5c28ba5a1eb2c3a934107bc96d49b8

SHA1
cbaac919f527538013b44d55416c554881e69c64

SHA256
cc0acf3df5dd33232222403381e4340e303ce253924d314b5ff6f097a70b52ee

SHA512
dace06d47f9be754f81477fac7430b95ab2455a034018ef8ba4511f365d847d011fade7c1c5a63170ce3c3f1944f7a339727a2c8f5fd9ca613bcfde16517ebc3

Download Submit
C:\Windows\SysWOW64\Fdkdibjp.exe

Filesize
1.1MB

MD5
ee12f7e4e1360cc19a54e7012e258284

SHA1
04eb284c5a51727905100f0307deabacb7eea2a4

SHA256
a1852586c2e237ccebb27dd8ba147357b0abd265ac7e3370c3deb15ee38d086f

SHA512
f4855967b77803823125dc9e0dbafe55a6cbb489df1a98a82285c7dbacc0f0051ea370d339208d9044c629d11b0a72875ac17edfad672e13a755d568fa9000e3

Download Submit
C:\Windows\SysWOW64\Fnffhgon.exe

Filesize
1.1MB

MD5
9be40a9dc30a2d0e28117f312e79eabc

SHA1
9761a4959ed0178f689a863a5ae41d2793a787d4

SHA256
d2fc59c45772ddf5411f6e7e2c8e1bc50e596428fb69034e589d67e7080489e1

SHA512
afeb50dcbae422587bf8dc04c1aa2062fc8f4cc398cb3ab3eecb79c2c05006de14dcb469308312dd9d355986b5869516fe99fd2424a004ab5ac27c7b1e74286f

Download Submit
C:\Windows\SysWOW64\Hbnaeh32.exe

Filesize
1.1MB

MD5
dde85f09ae7cffa48d56c437b045f17f

SHA1
8ec4126f40c1526b65d468d1ac5ac7b064036047

SHA256
ecf847e870bbaa27f41588141b48f3b6698e8344b12fa2482d431a263b7edc1d

SHA512
5250f59a18502e9f990504de2fbe27ceeeec48a0a0ee819f7300693f469e4b6e1f705849d0426cd4cf4134101f5c0ebe22f1d2f954d95d241a95d6dca531e34f

Download Submit
C:\Windows\SysWOW64\Hihibbjo.exe

Filesize
1.1MB

MD5
ceb66dd8e62b47af97472690f1cafa6d

SHA1
419cd74e4ff9abfdadfb52390f0f293c4a1e2d4d

SHA256
160d9fae9f1e8e805c8af366a15ac7a3cbbe00fec247341be91e6220f287c4cd

SHA512
83ff61ceb4a0a6f0a3df5cd76ccf00ed497881b305416a8183034ffbd04b885c537a55d3fed802e244633909254cc34415e479ad2cbe0807224203854991d0e9

Download Submit
C:\Windows\SysWOW64\Hldiinke.exe

Filesize
1.1MB

MD5
08602c7128d3d2aab5efad81d65df4a4

SHA1
14a1e7319b1bf98e2b26d6944c82e6fd246d8023

SHA256
096f7fcdfbcb475478453068329347ccd70875b4a831dda233da5d244c024929

SHA512
0c2acd5f85f58e8b239009688e96247fb73a27884a826c01a035cbb8a0750e8c2e209c7b44625648b7826b9f17d5cb6c30dc111266755fd2553e83e517ab7a25

Download Submit
C:\Windows\SysWOW64\Hpmhdmea.exe

Filesize
1.1MB

MD5
b677eea53215fdb7149c6e91bf48fdfd

SHA1
f4092b49a595ef4324436440ab3088ccfedfeef1

SHA256
436a598ee8d163a4ea8d05255b58f64f18fb00d41cd35ab0e955738354cd2809

SHA512
4118a96f95b6bcdeba5894bff935beba50b487e3f7e16a15cc94dedb12dd59f168097c1412dd85443e0843ffa65c58b12d1a6c545e368bd24852ca806fc0e289

Download Submit
C:\Windows\SysWOW64\Iamamcop.exe

Filesize
1.1MB

MD5
cd7aba54995b45e7caceca8ea4ce4fd9

SHA1
36063ce57460cb2d69ddfd8b3ed9527ae53c0a88

SHA256
4814c62a88dffd6562e3442a5d72ddff3afeb586c3701a6da97364143dfb8146

SHA512
bcfd4dfc8e62dbc35378a85ba3c7ca17e5cacf9aee46d386f9042bcf2310d9e87b3e996d03f770862ba15f633adfb656af42b5d77c62293d8dacf36d0489ed22

Download Submit
C:\Windows\SysWOW64\Ibcjqgnm.exe

Filesize
1.1MB

MD5
f25aea2f42c21d4fef76a68796788b55

SHA1
50d468caae0e28284885622f35973bde2b5dbb96

SHA256
71a9f0869d88dbb211d57f5c62e04588689258d2e80c38190872e39f7372fc59

SHA512
2063cb41f2007005043cdb8dd424c89e125dac985b5759a7f17641ad7cd79e906e0687d0b195416f24a5a89cdb4b331e112b7283fad4a2983f760418a2715532

Download Submit
C:\Windows\SysWOW64\Ibegfglj.exe

Filesize
1.1MB

MD5
72eb895f53cb649b81b26fe12c55b750

SHA1
2201fa2017b738be84f0ef7768fb04b180672f96

SHA256
c8b2d9ac37a8d8211cedf8d72ee5a07eedc17d7f005e9cfdc07de63724af7b66

SHA512
1a1aa966a3c182fcab7c6ead5d7fe1c5eff1bd310d9d5fd52ea7a581d325db67ceda710b130d9bd6397de9f97740c0c349ab7e0d9f34a77ae010292d9beb953d

Download Submit
C:\Windows\SysWOW64\Ibqnkh32.exe

Filesize
1.1MB

MD5
29e36e3ce426221cc397959a8ab17595

SHA1
6e3c447b70b8a18b1a572afccb7f0a7d6998aa70

SHA256
0a8091fdff908f53eac08135b425ead826eecb1870e67460bf3e9bc24a2c7198

SHA512
b49cba837768278f39f984d30ffb92a29c21d4f792235a372708a4bcb56528dc1f457e6c124ecfb661e6e72542bf0d1f1e0faf98955cf2470b1741b30e1e5f73

Download Submit
C:\Windows\SysWOW64\Ieccbbkn.exe

Filesize
1.1MB

MD5
601f55307851ed048e85a93719305969

SHA1
6dae08953c75879298093fb72e9bca697043fe50

SHA256
8af85ad497273db622c7769ee0857d973f9fc2794b01da3eb27ffc77905b491c

SHA512
bd1549c6a07fd07b24dfb05bc396cd3150146d0f6ae8b3663aa2a42ccf30472f94bf3aee42dbd994e86462b5c0bf129d464e124b1011edd74c1c79b6ce8f4989

Download Submit
C:\Windows\SysWOW64\Iefphb32.exe

Filesize
1.1MB

MD5
4b84eb9f253ee443e446f1686c30fb44

SHA1
e4fd00baa7772a0043f6ab448f549c18bbfa0868

SHA256
5c5e1793d7690841fd98a79489620297bdc12c00ea56d4410ac12b2ee563c83d

SHA512
53a5d1d9fb3603c9202d2758d2869ca5074afd87a0b7b5680039a50e393cc0e39bd464ca97687293084b2387d297f377a68c2b991b0d4a41f8b2eba427c32c29

Download Submit
C:\Windows\SysWOW64\Ieojgc32.exe

Filesize
1.1MB

MD5
b63413897fa366d37ff0733c8d942cc2

SHA1
b2abd3f2c8b727cfc8d5b0cf72d97fa665ba7764

SHA256
15002376dc673cc54fcff4f01a66dbd2e320616e8641b9ff6c2bcc0314e49fc8

SHA512
b2291b12a8e79835127bd6fbf25834fb09f82c18c69f6de119429e7056d298183ca6ecab7be61b1e5e2bfc5957c164f8531aa73f16f2813d03df182402570a1b

Download Submit
C:\Windows\SysWOW64\Ihdldn32.exe

Filesize
1.1MB

MD5
2fce27bfa220d95a188683b014993197

SHA1
f1ef2c4a1118d5b17ac448ee470711d31d5a6de9

SHA256
b6d10adfe370c9f33330b642e9acd6f903424059881ddb9f3f705bf2d7dd0eba

SHA512
1f01117b930efd8f5f754f6845dbfa9e9071cff7fb0544d4309b097d4166317665c9f19e665405545c8bdd7711ddf2fd02f39b1624d3ec116de6b8b9b1c6edc1

Download Submit
C:\Windows\SysWOW64\Ihmfco32.exe

Filesize
1.1MB

MD5
1b82a192f5ada3a460c7065a674859e0

SHA1
660e2de4278d3f4a93ad10e9743bff4a0c1226dd

SHA256
8870b5fed51cf73db931c4c3c5cdcad29ceab41f2580b5cf47000fcb767146b6

SHA512
af2d901f96e56aa2fd6dd1e3d9d817eb5204d4be9ba248ab1ff65ce2d5a5874eebca198cb42d412d2e2d82cca9155d6e88e09d1a408fd53df4a4b11dd201a4d4

Download Submit
C:\Windows\SysWOW64\Iimcma32.exe

Filesize
1.1MB

MD5
adfdea83cc23954a3f254dbe3e8b9030

SHA1
40d5351ad770d51d4ea17447c7af9836528ed22b

SHA256
a5442ffeb47f72325c0b56d73b313cd2cb3b2c4def1660fc2a97b9f58787fbd2

SHA512
d4376b94ddd96aefddd911bed6f0bb986dba78f88bb5f2f9e01ecb61c3e3e378327360c6d0e05e27c582f80d0409a76a44d8f4484ca70fc0560953213b6f1bef

Download Submit
C:\Windows\SysWOW64\Ilfennic.exe

Filesize
1.1MB

MD5
f6ed370e37f907fccf115131f806c1f5

SHA1
ca057d60ba3d43a266eec3a6cdb2692b6ce2b48e

SHA256
06ce14d3e8b59fe19b4a2f9df7705659200ab729cb6fa74387a4771e724ca703

SHA512
d02c4714a651274f74115c9196c04518390cc52529288993a8488ae4fc8afb26bc792a752b0bc83e8d866670bad9247128c59f2835c5966ffa2e7bd680f83758

Download Submit
C:\Windows\SysWOW64\Ilkoim32.exe

Filesize
1.1MB

MD5
a9792140bfd1e7bdc33d90094b362eed

SHA1
4f49cdd3930f5b0869dc41ced903930fc0191338

SHA256
4508979511939dcae75b06e97f841aab91019f307b5f5559c3bdeca9981d1553

SHA512
4ef2bf3a86c9ad396aa07133ec4bfdfc0b870cc9762b09519055bf256a703bd6b6f9657a93bc8977aa61f9c26cd3c1f67b01cb01e1e7bd0a407e99c6d7090073

Download Submit
C:\Windows\SysWOW64\Ilnlom32.exe

Filesize
1.1MB

MD5
20fb177d7ac59edf31eb5b0ca00d28a3

SHA1
11ac9ea9f60efcd2fcb8c3af2823484a1427717a

SHA256
4480d47156ae5a9caf55cbd8d85d5ba6f097eea142b9fc057c498235f47dd115

SHA512
1421bf88e8a63c7ec6b1ba99c43dd643854d42335bf482a39b9444d0debfb9842710d0b306158b598b0dfc865809cb3fa0d5e6cf43e5aeae84a4b972cf1076d1

Download Submit
C:\Windows\SysWOW64\Iogopi32.exe

Filesize
1.1MB

MD5
6316f6f2c38074f0ab568669a9bd98dc

SHA1
c7b781c3e8293ed5595481ed8b380c02b97968a8

SHA256
a3be22eaf934b742798d867f1e31638d846f8da6cdc744f3ac5ae485d4c1420b

SHA512
5f0f321ea54aa4cee7b2030b27fd8046268903193baf4c011c3c40431a887d15f9d613d710cc95b87b4e9337b08cb06072e00137ea02a24e1b2b17d89118202c

Download Submit
C:\Windows\SysWOW64\Iolhkh32.exe

Filesize
1.1MB

MD5
5209c50f166868e024bdc342429b7ce9

SHA1
3ab7a58a36a97390ce16e0fd45034a85fb6446d7

SHA256
b1c57a4682d8ab38401fe2e9ca59347960a2332e264238aa223d94412463c35d

SHA512
591875836331704ab9ba52f045b9b9d0d3737d1c8df1a0000b1b54696ccef8a097d71a349ac03f085aa284306e95bc641dc4510643b50f3ab97cc5f1bde18b77

Download Submit
C:\Windows\SysWOW64\Iondqhpl.exe

Filesize
1.1MB

MD5
bd68b4a4a4c43b914fb6ddacab8e32de

SHA1
19dbf44c3526e7a88da7d7828985ec3d25433c7b

SHA256
d443a9b9b0c92d69d08017f10e3a5fb0d15159a1bb6e4cef03518280c71f2135

SHA512
5690cf9f7cb6587c25b3c272568f081db8fc81d5ca0740f1b776c1b17e9406c0ac8b882b04dcb5667c1eaa1197dd5c4ec3fa8769b8e1df5f8273d8814a02029b

Download Submit
C:\Windows\SysWOW64\Jaonbc32.exe

Filesize
1.1MB

MD5
9b22a8db80d36cdafccef9d6dd51048d

SHA1
0b4471281478a54ad93eaaf30d0f44d3bbb9a2ff

SHA256
abf1e41160c7617f81dca0e409d6c0775d09ce76607d077f031731a9d4c277dc

SHA512
93a5dea1e9bdd13c3bae70702c42f8559544dd2020fda6ee8ca45a4df2dcafc1bf326440a92d61f34213ff8fe500888ad478887a7bc14461a6cec39c0b374c3d

Download Submit
C:\Windows\SysWOW64\Jbagbebm.exe

Filesize
1.1MB

MD5
ecb30edee5ad4a0a7aee14716e086668

SHA1
afb4e6f3100bcc7e3fece2d157e37d2530ec551e

SHA256
930e834e3208b190e9002799316802e4520630c212a8538b6b218c671fd9347a

SHA512
2f56648f78f012027e09fe6fffe93a1f770e90edf5e1655dd6cf194690108a66aa187652f8eade54de43e52067e8f18b632d2db809567b92ae2dcfbe09807134

Download Submit
C:\Windows\SysWOW64\Jeocna32.exe

Filesize
1.1MB

MD5
2fbbcf3658820b05ea686d36c90ac453

SHA1
cc5773b4e10c5bafdf4026b9d41fc809560e51ec

SHA256
17da2e6a5a8a4f8d7356c5e76b75af40dbe973e77aef2869fbbbc0fdfdf75606

SHA512
9a4e3b8c5d6fb8f8dc2630ee9094fb40926035abc6a230ff83da653913ff7ec17681dec0c375d11e517b6cf1262a444f75b57b53c3f4c6665ba598d78fd4496e

Download Submit
C:\Windows\SysWOW64\Jhgiim32.exe

Filesize
1.1MB

MD5
e7d52538586e1e6b16bb09a4856e6c19

SHA1
bacc48e6cbef6ffae7fc50dbf9e5d6851718ab93

SHA256
d05aa78bb26ba4a09850149b703acd5ed3b0fe285a5dc41c005e6a78b37e8882

SHA512
421f25b5579a7aadd2b5d6637e895260dcb94c6f3b37ea952cd52610ae0dd2e2ac1ed491640ad8a351b835a7e6d161c9668a9009c51eae373de126fc1552d650

Download Submit
C:\Windows\SysWOW64\Jhkbdmbg.exe

Filesize
1.1MB

MD5
a6c1ac6b785d50e4559e41abaebc0f56

SHA1
d895f92a67eac2ff2187855f6f3f0a5fb55cad8c

SHA256
d2c8f1870e86585f5f683ebafe22aa5536907557650a14abb17200ff91e4d8e8

SHA512
7b8fd95e6b4136c9cdc3b876fb722d9512772e0fd0119bf9c59b7508a5760cbe072f3fbd6674ad3aab54c5db6204ca7136dd9ebf9ae04a24e5cbab3e2d4bcfc7

Download Submit
C:\Windows\SysWOW64\Jhnojl32.exe

Filesize
1.1MB

MD5
17662db26fc872469107a8975fae1fe1

SHA1
d52389bd667d938e01482eb4458db1919378e4f3

SHA256
6213e872c44c103f8f4e8e4ab98adae401f3acc12533bf7aa35f922842d2ec25

SHA512
1e4bbc80ef45bb9fc38df8eec3fa85cde03fe190f489f2384f67585c1f0edc01b710e110d7670c2ebaba7025d4c4b3148a130b70cacdfe71ec4562e313dd9f8c

Download Submit
C:\Windows\SysWOW64\Jifecp32.exe

Filesize
1.1MB

MD5
d185b47f99e19c3702fe6d7c0bf19d35

SHA1
e61bd8b926fb3fa10330fb95ab0dc3917c52ad92

SHA256
8c0578a31a8d658b46c1060e414bb3806a77340fc8992a559bd0ce926658b33b

SHA512
0494cd86675f442aec42ee1bda5ebc68bb8a862a6564c4ea043c4952a5f07388c55981858cf2f6502040eeeb3c47f21eb02c31005649628b055138eb000bee17

Download Submit
C:\Windows\SysWOW64\Jldbpl32.exe

Filesize
1.1MB

MD5
89d7f87b4f2a11b1e2bd53e9143ca8ce

SHA1
ede73684555e0ce43ae2d084820d6d8a4a780751

SHA256
ff6e5414701ce655434804712db3cc30aa5d89adc4b614c9e7cb1dcd92727e7f

SHA512
e7da960194d29d10fb4fb984e7c7b3082abc6f14e6de1f40758bd725ab50042476f42833e82bc500cfa6088cd16af8204d041fa5423068511d7646b058fd5c4e

Download Submit
C:\Windows\SysWOW64\Jocnlg32.exe

Filesize
1.1MB

MD5
c44b7ceeb0bd25247cb1e88e658af7ce

SHA1
d3af430ed0bd368afcf054f35b05f5cf4a26c768

SHA256
d964f667b32836d27029a945a368cddff73c09fba20c81e1e4e2a6d886c9b3d4

SHA512
f75425387177bedd3c4991df20088905bbff4e34c256635a6472b0a51d9c48fa1c8938f4b3ef1f7017e2f0fd293a35afff3d00461a911c1c99252c640d77300d

Download Submit
C:\Windows\SysWOW64\Johggfha.exe

Filesize
1.1MB

MD5
b399c6192e14a057108323afebf63870

SHA1
4d9134b9184c259e47f27a27c3856e3b9d87f19c

SHA256
e41892567b39528bccdc4cc2ee3dafa1da93396302fb6a57ea02bf0ef25440ae

SHA512
8b74a22ad729463521f6361759adf86e09dbd3e8f31c05a879f84f9193a53c77c954bff78b0a7e42dc65d7e39be3145533e5a425e31837f0c7a64cdd54b36fbe

Download Submit
C:\Windows\SysWOW64\Jpbjfjci.exe

Filesize
1.1MB

MD5
aad04f82e31f9ee1344cd12f28c00052

SHA1
025bdee07ec53c158b8e53b588a55b6e88932704

SHA256
17969f3190f29ab5175db1fb4780b1fcbc29102778d3eddf2b40e07c340de61b

SHA512
5e7bc600bc14efeae6cb3f275887439ac1a76190e37979678bf80e61b178437cfe912145246f18a0684d7e5e1bb33abfae9e5f119f663aa3a20cfd72fed3eec8

Download Submit
C:\Windows\SysWOW64\Jpnakk32.exe

Filesize
1.1MB

MD5
edcbbbc395f43c70be8d6de5b45872a6

SHA1
b28ea43b651cee00b65051ab4af669a7269b2a57

SHA256
ad3a781962e891ee164cbfa96b9768ade2a03d98f8ee3cedab722c2f0cbbd108

SHA512
1e1ae8a3748440f2d8bb365a5941b0a22c8715c7ca530641727a22123ef1c441e2285330d2ab72a2ff22aa96d8a1bc8574daf22847bb5eebd4dcafbb46327cd2

Download Submit
C:\Windows\SysWOW64\Keoaokpd.dll

Filesize
7KB

MD5
848274f20c553b84346931741a5baef3

SHA1
f174e6f912e86d7093afb13251565c02d4a225d4

SHA256
139f697f86cb452c1a3f79015c06865d95aafc30d97314d9eb19279ce6545957

SHA512
2903d1919739c5ba6999ed187308a58e2353836f6714902ceda10c4bf893692a5a1d9dbed2b6e635623c59f670652fea7989ecdb8cf23c589762415211aba0ce

Download Submit
memory/64-119-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/116-207-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/216-263-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/416-300-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1112-498-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1296-103-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1324-36-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1396-318-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1416-94-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1624-152-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1644-128-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1676-160-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1688-492-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1740-486-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1744-20-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1748-288-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1872-184-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2068-576-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2084-53-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2284-76-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2476-270-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2512-23-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2512-110-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2660-86-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2676-240-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2752-60-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2776-275-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2968-44-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2988-480-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3036-256-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3276-312-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3400-199-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3620-168-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3648-248-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3940-232-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3996-144-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4000-175-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4020-68-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4068-191-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4212-504-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4284-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4284-84-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4300-224-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4352-216-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4548-111-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4688-294-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4728-136-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4844-510-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4928-281-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4996-306-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5032-93-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5032-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5124-516-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5132-324-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5172-330-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5180-522-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5212-336-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5252-342-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5260-528-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5292-348-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5332-354-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5340-534-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5372-360-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5408-540-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5412-366-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5452-372-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5484-546-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5492-378-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5532-383-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5560-552-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5580-390-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5612-396-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5640-558-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5652-402-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5692-408-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5716-564-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5732-414-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5772-420-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5796-570-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5812-426-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5852-432-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5892-438-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5928-582-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5932-443-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5980-450-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6008-588-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6012-456-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6052-462-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6092-468-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6132-474-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6156-594-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6196-600-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6236-606-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6276-612-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6316-618-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/6356-624-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads