5fe4d7a115a1db85ce926c78f4835b1bf2041efea28569712eb245effc62db10

Analysis

max time kernel
97s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fe4d7a115a1db85ce926c78f4835b1bf2041efea28569712eb245effc62db10N.exe
Size

1.1MB
MD5

bde6587704610f0b784e25d4514c9fb0
SHA1

83e440dc837d223fc6d096ba09bcc493f54157f0
SHA256

5fe4d7a115a1db85ce926c78f4835b1bf2041efea28569712eb245effc62db10
SHA512

a7ec20fe5e41b72cc9d614f6e4e88831b8faa419e736f649800691da24efd29b4238d2ce6639751ff2e5b99ace7d734e4d58509614647bd23d5c6ed17a566b83
SSDEEP

24576:xPrQg5Wm0BmmvFimm0MTP7hm0BmmvFimm0HkEyDucEQX:xjQg5SiLi0kEyDucEQX

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmabdibj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifgbnlmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdnjgmle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gododflk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcbihpel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkmlofol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Heocnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilghlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hijooifk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hiefcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hckjacjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfifmnij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdhmnlcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecandfpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipnjab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibqpimpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5fe4d7a115a1db85ce926c78f4835b1bf2041efea28569712eb245effc62db10N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iifokh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icnpmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gblngpbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikpaldog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilidbbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmncnb32.exe

Executes dropped EXE 64 IoCs

pid	Process
4452	Ekemhj32.exe
4828	Ecmeig32.exe
2020	Edpnfo32.exe
4232	Ecandfpd.exe
4652	Fcckif32.exe
3704	Fkopnh32.exe
1660	Flnlhk32.exe
976	Flqimk32.exe
2516	Fhgjblfq.exe
2224	Fdnjgmle.exe
4092	Gododflk.exe
2552	Gbdgfa32.exe
2168	Gkmlofol.exe
2332	Ghaliknf.exe
4312	Gbiaapdf.exe
1640	Gdhmnlcj.exe
1032	Gmoeoidl.exe
2724	Gomakdcp.exe
3412	Gblngpbd.exe
4848	Gfgjgo32.exe
4812	Hiefcj32.exe
2636	Hmabdibj.exe
4844	Hopnqdan.exe
3532	Hckjacjg.exe
1720	Hfifmnij.exe
4044	Helfik32.exe
5060	Hihbijhn.exe
3340	Hkfoeega.exe
2384	Hobkfd32.exe
2484	Hbpgbo32.exe
540	Heocnk32.exe
3720	Hijooifk.exe
672	Hkikkeeo.exe
4340	Hcpclbfa.exe
3164	Hbbdholl.exe
2784	Heapdjlp.exe
2120	Himldi32.exe
1612	Hkkhqd32.exe
3052	Hcbpab32.exe
1164	Hbeqmoji.exe
60	Hecmijim.exe
3884	Hmjdjgjo.exe
4068	Hoiafcic.exe
2696	Iiaephpc.exe
3988	Ikpaldog.exe
2016	Icgjmapi.exe
1224	Ifefimom.exe
1672	Iehfdi32.exe
1616	Imoneg32.exe
2360	Ipnjab32.exe
2864	Iblfnn32.exe
3528	Ifgbnlmj.exe
4016	Iifokh32.exe
2012	Ildkgc32.exe
832	Ippggbck.exe
4060	Ibnccmbo.exe
4300	Iemppiab.exe
4728	Ilghlc32.exe
644	Icnpmp32.exe
4852	Ibqpimpl.exe
1912	Ieolehop.exe
3940	Imfdff32.exe
5080	Ilidbbgl.exe
4592	Icplcpgo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Jcgbco32.exe	Jlpkba32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjlfi32.exe	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Mlampmdo.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Eikdngcl.dll	Kepelfam.exe
File opened for modification	C:\Windows\SysWOW64\Kdqejn32.exe	Klimip32.exe
File created	C:\Windows\SysWOW64\Icpnnd32.dll	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Lgmngglp.exe	Liimncmf.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Kebbafoj.exe	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Chdfonda.dll	Hiefcj32.exe
File created	C:\Windows\SysWOW64\Himldi32.exe	Heapdjlp.exe
File created	C:\Windows\SysWOW64\Jlnnmb32.exe	Jmknaell.exe
File opened for modification	C:\Windows\SysWOW64\Jehokgge.exe	Jbjcolha.exe
File opened for modification	C:\Windows\SysWOW64\Miemjaci.exe	Mlampmdo.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Miifeq32.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Gogiek32.dll	5fe4d7a115a1db85ce926c78f4835b1bf2041efea28569712eb245effc62db10N.exe
File opened for modification	C:\Windows\SysWOW64\Hfifmnij.exe	Hckjacjg.exe
File created	C:\Windows\SysWOW64\Ippggbck.exe	Ildkgc32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Ghaliknf.exe	Gkmlofol.exe
File created	C:\Windows\SysWOW64\Qoecnk32.dll	Klgqcqkl.exe
File opened for modification	C:\Windows\SysWOW64\Kpgfooop.exe	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Hopnqdan.exe	Hmabdibj.exe
File opened for modification	C:\Windows\SysWOW64\Kmncnb32.exe	Kefkme32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Fkopnh32.exe	Fcckif32.exe
File opened for modification	C:\Windows\SysWOW64\Gomakdcp.exe	Gmoeoidl.exe
File opened for modification	C:\Windows\SysWOW64\Kmijbcpl.exe	Kebbafoj.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Hkfoeega.exe	Hihbijhn.exe
File created	C:\Windows\SysWOW64\Mkoqfnpl.dll	Jeklag32.exe
File opened for modification	C:\Windows\SysWOW64\Kebbafoj.exe	Kfoafi32.exe
File opened for modification	C:\Windows\SysWOW64\Kfankifm.exe	Kdcbom32.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Enlqgg32.dll	Hmjdjgjo.exe
File created	C:\Windows\SysWOW64\Jiopcppf.dll	Jbeidl32.exe
File created	C:\Windows\SysWOW64\Kfjhkjle.exe	Jcllonma.exe
File opened for modification	C:\Windows\SysWOW64\Jmpgldhg.exe	Jehokgge.exe
File opened for modification	C:\Windows\SysWOW64\Jpppnp32.exe	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Kbhoqj32.exe	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Fmfmfg32.dll	Ecmeig32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6748	6400	WerFault.exe	289

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdnjgmle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iihkpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hobkfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlpkba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfifmnij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icgjmapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heapdjlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmknaell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdhmnlcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcpclbfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icplcpgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecmeig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gblngpbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkmlofol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heocnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeklag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifefimom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iifokh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkfoeega.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcllonma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iiaephpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimekgff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbjcolha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Himldi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikpaldog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblpek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imfdff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedeph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnchp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghaliknf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcbpab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iemppiab.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iifokh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnjpohk.dll"	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbinofi.dll"	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmknaell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npibja32.dll"	Ilidbbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adopjh32.dll"	Iemppiab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jeaikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfkgaokd.dll"	Fcckif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hihbijhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecmeig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndgjk32.dll"	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojhkmkj.dll"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qegnoi32.dll"	Hoiafcic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhjmp32.dll"	Jcllonma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kefkme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldjicq32.dll"	Gkmlofol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbinq32.dll"	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khchklef.dll"	Jpnchp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hijooifk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifjigbdo.dll"	Hbeqmoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhaomhld.dll"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Flqimk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edpnfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecandfpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfifmnij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5fe4d7a115a1db85ce926c78f4835b1bf2041efea28569712eb245effc62db10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmabdibj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilghlc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 4452	3436	5fe4d7a115a1db85ce926c78f4835b1bf2041efea28569712eb245effc62db10N.exe	83
PID 3436 wrote to memory of 4452	3436	5fe4d7a115a1db85ce926c78f4835b1bf2041efea28569712eb245effc62db10N.exe	83
PID 3436 wrote to memory of 4452	3436	5fe4d7a115a1db85ce926c78f4835b1bf2041efea28569712eb245effc62db10N.exe	83
PID 4452 wrote to memory of 4828	4452	Ekemhj32.exe	84
PID 4452 wrote to memory of 4828	4452	Ekemhj32.exe	84
PID 4452 wrote to memory of 4828	4452	Ekemhj32.exe	84
PID 4828 wrote to memory of 2020	4828	Ecmeig32.exe	85
PID 4828 wrote to memory of 2020	4828	Ecmeig32.exe	85
PID 4828 wrote to memory of 2020	4828	Ecmeig32.exe	85
PID 2020 wrote to memory of 4232	2020	Edpnfo32.exe	86
PID 2020 wrote to memory of 4232	2020	Edpnfo32.exe	86
PID 2020 wrote to memory of 4232	2020	Edpnfo32.exe	86
PID 4232 wrote to memory of 4652	4232	Ecandfpd.exe	87
PID 4232 wrote to memory of 4652	4232	Ecandfpd.exe	87
PID 4232 wrote to memory of 4652	4232	Ecandfpd.exe	87
PID 4652 wrote to memory of 3704	4652	Fcckif32.exe	88
PID 4652 wrote to memory of 3704	4652	Fcckif32.exe	88
PID 4652 wrote to memory of 3704	4652	Fcckif32.exe	88
PID 3704 wrote to memory of 1660	3704	Fkopnh32.exe	89
PID 3704 wrote to memory of 1660	3704	Fkopnh32.exe	89
PID 3704 wrote to memory of 1660	3704	Fkopnh32.exe	89
PID 1660 wrote to memory of 976	1660	Flnlhk32.exe	90
PID 1660 wrote to memory of 976	1660	Flnlhk32.exe	90
PID 1660 wrote to memory of 976	1660	Flnlhk32.exe	90
PID 976 wrote to memory of 2516	976	Flqimk32.exe	91
PID 976 wrote to memory of 2516	976	Flqimk32.exe	91
PID 976 wrote to memory of 2516	976	Flqimk32.exe	91
PID 2516 wrote to memory of 2224	2516	Fhgjblfq.exe	92
PID 2516 wrote to memory of 2224	2516	Fhgjblfq.exe	92
PID 2516 wrote to memory of 2224	2516	Fhgjblfq.exe	92
PID 2224 wrote to memory of 4092	2224	Fdnjgmle.exe	93
PID 2224 wrote to memory of 4092	2224	Fdnjgmle.exe	93
PID 2224 wrote to memory of 4092	2224	Fdnjgmle.exe	93
PID 4092 wrote to memory of 2552	4092	Gododflk.exe	94
PID 4092 wrote to memory of 2552	4092	Gododflk.exe	94
PID 4092 wrote to memory of 2552	4092	Gododflk.exe	94
PID 2552 wrote to memory of 2168	2552	Gbdgfa32.exe	95
PID 2552 wrote to memory of 2168	2552	Gbdgfa32.exe	95
PID 2552 wrote to memory of 2168	2552	Gbdgfa32.exe	95
PID 2168 wrote to memory of 2332	2168	Gkmlofol.exe	96
PID 2168 wrote to memory of 2332	2168	Gkmlofol.exe	96
PID 2168 wrote to memory of 2332	2168	Gkmlofol.exe	96
PID 2332 wrote to memory of 4312	2332	Ghaliknf.exe	97
PID 2332 wrote to memory of 4312	2332	Ghaliknf.exe	97
PID 2332 wrote to memory of 4312	2332	Ghaliknf.exe	97
PID 4312 wrote to memory of 1640	4312	Gbiaapdf.exe	98
PID 4312 wrote to memory of 1640	4312	Gbiaapdf.exe	98
PID 4312 wrote to memory of 1640	4312	Gbiaapdf.exe	98
PID 1640 wrote to memory of 1032	1640	Gdhmnlcj.exe	99
PID 1640 wrote to memory of 1032	1640	Gdhmnlcj.exe	99
PID 1640 wrote to memory of 1032	1640	Gdhmnlcj.exe	99
PID 1032 wrote to memory of 2724	1032	Gmoeoidl.exe	100
PID 1032 wrote to memory of 2724	1032	Gmoeoidl.exe	100
PID 1032 wrote to memory of 2724	1032	Gmoeoidl.exe	100
PID 2724 wrote to memory of 3412	2724	Gomakdcp.exe	101
PID 2724 wrote to memory of 3412	2724	Gomakdcp.exe	101
PID 2724 wrote to memory of 3412	2724	Gomakdcp.exe	101
PID 3412 wrote to memory of 4848	3412	Gblngpbd.exe	102
PID 3412 wrote to memory of 4848	3412	Gblngpbd.exe	102
PID 3412 wrote to memory of 4848	3412	Gblngpbd.exe	102
PID 4848 wrote to memory of 4812	4848	Gfgjgo32.exe	103
PID 4848 wrote to memory of 4812	4848	Gfgjgo32.exe	103
PID 4848 wrote to memory of 4812	4848	Gfgjgo32.exe	103
PID 4812 wrote to memory of 2636	4812	Hiefcj32.exe	104

C:\Users\Admin\AppData\Local\Temp\5fe4d7a115a1db85ce926c78f4835b1bf2041efea28569712eb245effc62db10N.exe
"C:\Users\Admin\AppData\Local\Temp\5fe4d7a115a1db85ce926c78f4835b1bf2041efea28569712eb245effc62db10N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\SysWOW64\Ekemhj32.exe
  C:\Windows\system32\Ekemhj32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\SysWOW64\Ecmeig32.exe
    C:\Windows\system32\Ecmeig32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\SysWOW64\Edpnfo32.exe
      C:\Windows\system32\Edpnfo32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\SysWOW64\Ecandfpd.exe
        
        C:\Windows\system32\Ecandfpd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
      - C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Fhgjblfq.exe
        
        C:\Windows\system32\Fhgjblfq.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Gododflk.exe
        
        C:\Windows\system32\Gododflk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        24⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3532
        
        C:\Windows\SysWOW64\Hfifmnij.exe
        
        C:\Windows\system32\Hfifmnij.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        27⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        31⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        34⤵
        Executes dropped EXE
        
        PID:672
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        36⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        39⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        42⤵
        Executes dropped EXE
        
        PID:60
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3884
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        49⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        52⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        56⤵
        Executes dropped EXE
        
        PID:832
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        57⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        59⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:644
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        63⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        67⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        70⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2556
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        75⤵
        
        PID:828
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        76⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        77⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        78⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        80⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        82⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        83⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        88⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        90⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        91⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        93⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        94⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        95⤵
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        98⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        99⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        101⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        102⤵
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        103⤵
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2656
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        105⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3224
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        113⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        116⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        118⤵
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        124⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        125⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        126⤵
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        128⤵
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1120
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        131⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        133⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        134⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        135⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        136⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        138⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        140⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        141⤵
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        142⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        143⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        144⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        145⤵
        Drops file in System32 directory
        
        PID:4580
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        148⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        149⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        151⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        152⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        153⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        154⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        155⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        156⤵
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6200
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        158⤵
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6296
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        160⤵
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6404
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        162⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6448
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        163⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        164⤵
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        167⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6668
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6712
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6756
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6800
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:6844
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6888
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:6932
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        174⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        175⤵
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        176⤵
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        177⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        178⤵
        Drops file in System32 directory
        
        PID:7156
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        179⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        180⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        181⤵
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6412
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        183⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6548
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        187⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6876
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        191⤵
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7100
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        193⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        194⤵
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        195⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6456
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        197⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6708
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        199⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        200⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6920
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:7040
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        202⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        203⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 228
        204⤵
        Program crash
        
        PID:6748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6400 -ip 6400
1⤵
PID:6684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
1.1MB

MD5
5905ae084b725ed1f9aad02a10f7ef07

SHA1
13fb246d73a21f2def664f80bc1f193114eecb51

SHA256
0af2b3424a0c6bdbbf7d13b9456312c46792428d2486382717c4d9e5d10dcec9

SHA512
697759d2ad7c26ff80225477f5b0ec0f9a3db3821831de83f9633f278686e1b6cabf48d27a69f57b6d5411095d31da6cd48cdae0d67346ca7ebbfbfe0cbfcdbc

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
640KB

MD5
bf1c6d7ff1565d7c61d5e7e8bdf7ad86

SHA1
d4a2872f25b9a508b597329c1997b9157fe96ad2

SHA256
7b3797b7e5b94ac9c472768eb28aeedc11e4395dfb96f060f856f5b65b1f84aa

SHA512
4f02049bcc61eb58bb0172677585cb8a8be22316e0f1d94bb4c7b474df1951678772db7c1b2abbc782f86e520af36db849dc926a8c957d67c7be675788832fee

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
384KB

MD5
0c9009b633ef0921aad28077159db950

SHA1
5d3b9a00f411bd54d5af0e483c0ac69d98bb95e9

SHA256
0912e292734c2af141afc3d13e7f98acf96d32ea85c9e2ae94b2b9a7da24dcde

SHA512
a30710ca65518b87ae21dd8ee0236ad41156a239cd4b4496870ac3cff73e9dd192d3ff1eb58202ddc6ee1fa361ce76bbb43d5118f25bddf425603df0adb30e99

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
1.1MB

MD5
bd0442a8cfb30a64ea320fd0c26a7f78

SHA1
7ae8d9cf8ee6c1b1875ede44b8c351e36ce85641

SHA256
1366b467e152a7bee31b5e0a75705a458d43cd7587cafdf8cbdeeb991a2c5854

SHA512
247b7decca75961c8a5e7dbbca11d9c4a06096fed0137e1069176bc970fbc213b87dffe35ff91889839023ec5816c6f009ccde0e8b435313959c295f8cc0d261

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
64KB

MD5
0f2f772d6529105f1db316179a2397d1

SHA1
743808b20daed7d557e3072f6c184db5183e80e4

SHA256
ed274d73faf0663b72dc9630eead5c2e0c3a1d0149d9e4164656a2098d38cf02

SHA512
bcc980c186ec3fd19b50ebd58041e1321f3ee519e84be12131b63c44078394439c66e1fa34f3f834fee205615ad91bacbe299cf7bb710f81e6113be653b8b8a7

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
1.1MB

MD5
1d2b95ecbf20406adb76c986b0a120d9

SHA1
a5ba493102b94270bb70c6da47b9a6b5cf0a073d

SHA256
db412cedb711a006f0534107502422a72dd6156844548879cbb5f194f087f634

SHA512
3784d92b2b705b58f540b0ede1f20f8702ba6cd0be1d5377fa5df97d173114c9e54ddcdae1dec43d990408512ff85d1b102d68520e225162208b477c66e06d89

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
1.1MB

MD5
df17ca6516f0221200b9f3301332dca6

SHA1
c7d8dee19b14617e448244d2c9475c7fd3dfa208

SHA256
91026a43ab8bfb1860578ee2e59d07d3c7f7c7203891d823252263cda8ad52ae

SHA512
5ef19c146c310d3619a7a2cfcac207eeaa2f94de8cfb320a56c031629e286df3f5edeadac79e5625beb3c6a7f21ba1a84079c42dd9e722a028a3e309b7b28e8c

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
1.1MB

MD5
f249f9a227aa9067d980c00db88bb881

SHA1
b599a5008e09b7dde590c3788cca5ae3fe751142

SHA256
1c49b23835b3fc227cebfd0e2a614334001606208ea1fd71a5e3a3933dccc2c3

SHA512
4c3c4389ead0e586ba5236b54ec10a6a1ea2d2e74681637b9a8c3d50e98149c88050bf59d804a8158dbc2e8849949db7f9545d30888cd97ff71fa659a97aa255

Download Submit
C:\Windows\SysWOW64\Ecandfpd.exe

Filesize
1.1MB

MD5
64f35e287ba80c1a8e9801535234f5dd

SHA1
509faa56281346a98037031d57e21352a5d3cff5

SHA256
0b54f23fe4b36f789983537df916b5028364cc4c47846712b289b2a8ff9e9993

SHA512
eead4925144bde07c0ae3ab6aea41de7381aec616ae6bd7f3173a1c4ea70392a2a3be3440f69223988e44b3fda208b48debf2cc9d3bde705f176df22bc88d6cc

Download Submit
C:\Windows\SysWOW64\Ecmeig32.exe

Filesize
1.1MB

MD5
eaca40cfec5972220cea166972942627

SHA1
6191f1a91f7770ed168dcc9c553a79d66a4553be

SHA256
f0229f797993f1de217cbedb119aba83052dcdb1299e6bf431a2d8586af15fae

SHA512
8e6a2f4777f56f41778cd050e2d41a0dad7e1f963c910c8a5b9ce9ba6b5adae1ed000944120a175c121d9aa68d9417ea5d02e04957cd2a2f36dd404ac9219e12

Download Submit
C:\Windows\SysWOW64\Edpnfo32.exe

Filesize
1.1MB

MD5
8be2236b565d8cda622aa2c457bcd2c8

SHA1
0eab0b00c6c0807760f3be3975e9728ea0032878

SHA256
8d590eecaf83df97684abe6135fa46109fad83f8ff2facd86c137d52d52580d0

SHA512
8d03b8f3ad519bde09be0130ce74b78408a263c1322c641bf6af73194de0e073ce6fa024c18d7bb215adcd90b915b491c9edff57f13ffd01483c093009ecaa5d

Download Submit
C:\Windows\SysWOW64\Ekemhj32.exe

Filesize
1.1MB

MD5
91e0ede2703c1eb25eee5d41923f1309

SHA1
0ca21446661b7962533d5f087954c82532539e92

SHA256
a531623a2b4352bcbe24c5e1de987d55a5349bccf1bbb398679a0b0a9ace9662

SHA512
474aa24473e5313234a23cf02b78441a6ed2915c04b4b1fd3974b4088217310bfbedeb1af13fa71840511c68eb9136b36a642b1b15d7569d09db59a2e48aa78d

Download Submit
C:\Windows\SysWOW64\Fcckif32.exe

Filesize
1.1MB

MD5
176af6cda027d1855d9dd63c8397b938

SHA1
230ce1f2557ba38f8380aaa3a4cc4d5ca7db4aa2

SHA256
f1d017f6bac9089164de059dd55e8a887fd535f0d32d721c7db7afee0e864355

SHA512
f5f214b971017b543ebfd2a8345b0811e0d7fabe53efb674c120df97d5e8ee06fea7266ebe0daf7f66fdcbc9e1bd78c27b16a018387d6019157d5b32b853e95e

Download Submit
C:\Windows\SysWOW64\Fdnjgmle.exe

Filesize
1.1MB

MD5
c61e05c4a668386eb5216ab38e93c78b

SHA1
5d8c85992afbe1ecf87a8da307dd1f23d868a437

SHA256
863a28cbdafb5496b4860b20b7e0f0e7d7aeb41a421f195bb62bce3b1b01cd20

SHA512
4c607e305b7ac760486d2566116e8965540b071ce88c4a995f37a469ecc210a147e6f8c570490e3588bd389237346c0ce646b45cba06e5cb24966ca60847f9b6

Download Submit
C:\Windows\SysWOW64\Fhgjblfq.exe

Filesize
1.1MB

MD5
6e0d68f248d5ce048ee915706e3d8234

SHA1
3e0ef9edfb7dd1c57e2c19947f4da07f58f494e9

SHA256
4d1d5c0cc55da519576e502e2d4bb47ea7e6c564f16557930dc13b7efd2a5fa5

SHA512
69cf0989ae83492012350941afd0df7087a0f5acb853447818cf589877604399e4b22fe32190e100716e754c4ff2178fb4c15bc076e30cb20079461637206f16

Download Submit
C:\Windows\SysWOW64\Fkopnh32.exe

Filesize
1.1MB

MD5
ee828423b1999004d3bbddaf5e872fd5

SHA1
9ad79cff804516f8be9098e36aadcaee443ace36

SHA256
19fbca548e54fcffcc68bc81cd1ff8ef78b9c4bbad8f6c30bd459f6300311612

SHA512
e9dd8daabc4fed356639300dd16f93ca84bd42c60a2e773975ecf58ea920dc6afe7f6e7f01488d89e7ecde6da2c78d5356d48b67b599d1909ed0fd5427362454

Download Submit
C:\Windows\SysWOW64\Flnlhk32.exe

Filesize
1.1MB

MD5
bb85da4de2cd1868dc4af897d5a20e3a

SHA1
20d4a880c76e343d11f7419cc7d078a90c3f276b

SHA256
cde735c6e82ad3adcc4270820100f4a551a32f7837da697333b7943ecef48ca8

SHA512
7761bcdefccdeffec2b580cd790ba85c2853359e40e70a31912968ff8cdb990482085281fa612d6626300e0b119831555e74c0a1805843c64fd8f3679d52e1a6

Download Submit
C:\Windows\SysWOW64\Flqimk32.exe

Filesize
1.1MB

MD5
7f66167b9d8572144f3ddc4fbb8ac3d2

SHA1
66a84400fcdfa5c64213be090d3c66806fafab56

SHA256
4e620b422799fd7b45a0461e286a489dc0ca7274a00cfa40f212b78fe5dff311

SHA512
a98d2c645a763e78e00562bc67e1f42eedd66125c16ab81c8ab2651967a5678d4b5903e07b1a0d5fb8603f9bcd76134dfd78bcf4543331a9f86e13e081d4e9db

Download Submit
C:\Windows\SysWOW64\Gbdgfa32.exe

Filesize
1.1MB

MD5
6750e51327f83c76de90a8bfc139988c

SHA1
36203756a13ffb0eb6c5f97b40fe324d15917ff3

SHA256
bca1b26c64d35c21cbfd8f37a2d5a5be49caf7e4d258cc8e5926c8f1d6c1ea57

SHA512
0d42900fb6eafb7b0b8c2d8e296b0573be7d81bf98176691d0a2cf62d31527a19141cfd1077c14670eda026f58011297c162d5bb62cdd2ee2be6dc456d8148f3

Download Submit
C:\Windows\SysWOW64\Gbiaapdf.exe

Filesize
1.1MB

MD5
74ff04be48227749f5e6e85d86f0c4a3

SHA1
1e7db572a47d088f85e50fa83b044d82b48d837a

SHA256
d5743302236e97c72431c97109027013c027c6aa636a2c93b4c3aeea809e7975

SHA512
b7f1bd9500a72e78a9202780ff0233d8a9897a2afb2729f468bf14b5934d123eee0d1e3aa78f1777d46a6bf1d8b065d39f1064ee324035a55cf135e857eeaceb

Download Submit
C:\Windows\SysWOW64\Gblngpbd.exe

Filesize
1.1MB

MD5
861399c430994b51060bc09e857c65df

SHA1
d2c411da103cc8c3745d1a4ca3192bfd2788129f

SHA256
6708ebd663d83e9648ba632c772a4c68e8928abcfe61ec0ed28dc9dc9b6aa201

SHA512
26fee2d4754ef38889c6b6e442af8e20e05f10043f20f7297fe051827d5d0a6759d59a5846bf6bbecbf40b31bba48e1d8e85ebe4f9504576cd1ed6a8b9a97495

Download Submit
C:\Windows\SysWOW64\Gdhmnlcj.exe

Filesize
1.1MB

MD5
7f6005736dc8a726a52d336576c77da5

SHA1
6c43c80787888b0bb286e36fc8084b874a12bfb3

SHA256
e59cc0a1010f30d42d0c5c86e3141274d2495bf3da1ba9b139d836141765c8d2

SHA512
7c6a7bbfa09027f5080ffae848c16dbc2d350a7d2849be5fc7d24308f2b43d5064e4239bf2e0a11acea5e0bc64beb85f9490237e91ef1cf8248d57a856282828

Download Submit
C:\Windows\SysWOW64\Gfgjgo32.exe

Filesize
1.1MB

MD5
b1597b18e35bd98d956abde66711dd25

SHA1
ba22c15b3415468a07ec3915914fd2d7b8b633b1

SHA256
a0243bb836150e6ec65bf98eaceeef0bfc7f15a6a27ee98a2fe1cfb776b3ebfe

SHA512
abcc9b6014df7e6475ed13ba82387be7e197e29e902da38bcc4c2c2c6aa6f6fb4591496efed8a12f42e231714f58ef92ac65c4098a3dcaf69f63d245fccfaed9

Download Submit
C:\Windows\SysWOW64\Ghaliknf.exe

Filesize
1.1MB

MD5
74a24cb90da4d49d56058fb82bf58b7d

SHA1
5a4a37243c1ac85ee0c51c7a185bf5c3f8f82eab

SHA256
b73fa9307f1fd672bbe0cadcc5fd9eb7294ffc68b8f159ad6daf4924faab1be4

SHA512
6488f93be540b095ac81170cd0078ecfa3b5f6b133198c48f3eff3e9e37d7037ac62bf7f5cf478bc4fa50bea06f3c36276ec2a54250d566184d74eb647fdcb58

Download Submit
C:\Windows\SysWOW64\Gkmlofol.exe

Filesize
1.1MB

MD5
87171fc7f1f8506f20724393b46ae0da

SHA1
9c08af81b68f43ac3e3bc8705511e47344996863

SHA256
b9ab9a47b742ada8d99115bc97d54a7fee2c55fe3078aa43336a816cf7feaba3

SHA512
820071639368309e603131da481509e3701602a74d575561a8d325167e943fef04371b3a34b34bbf8ceb47828366224324cdbe6ed3c3cfc1a2b379eb3f687fbf

Download Submit
C:\Windows\SysWOW64\Gmoeoidl.exe

Filesize
1.1MB

MD5
e04540a9cd1b0a4b07fd90e4a83e480b

SHA1
2eb5c02db53db5f79276b2ee66b35e2a4dd3ea4b

SHA256
0d94dd382b1fbb19904bd206eb2368d66db8894dd21cdd7c21cc74f12f6bb54a

SHA512
557aa382eb184806665810852e484ad7fef3b913ac4aa720db30c9307ba64b839a4b6ce31339cd1cdf5e6fbd440c98a55b4d48b55112e666db6445a93d85da6a

Download Submit
C:\Windows\SysWOW64\Gododflk.exe

Filesize
1.1MB

MD5
e5e3e0c11c6d8e283cd1641706081302

SHA1
429cb4c589cda72feb354880911f70c0c7c33c8b

SHA256
846923638a2d319cd2cad38a35617272a265ba9018f92b19234d3262025bf74c

SHA512
ec89230ccecc42cccdedb42830f29a70354fb23ed83bfa9d839580cbe87c14e6df3ffd3131c8a688f173772a8d227995b2b2563cb47dd607354f114c6ec62f98

Download Submit
C:\Windows\SysWOW64\Gomakdcp.exe

Filesize
1.1MB

MD5
29d3dd07926afb380c0893fcc1f8a192

SHA1
c95299e8861dcd5ace76fe6692ed8bb1ddf64b1f

SHA256
dd69b6bfb33f2f67e28959639f10c0e621117beb24c50e5a812e8913d7e7e08a

SHA512
0209eba15be14954707578b76ad8e80bb695530ddd3519733b438d7880027061718193c2b7a09ba6dd571acc0bdce34908d0cfb8ddf98b119508e6f1f3a4368d

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
1.1MB

MD5
900c7004438540f0a4095771227de464

SHA1
d705056cd328dbe6320d668afeffdee86ce94cd0

SHA256
505956e3460859a3d8e707ea9d1cc335ddd4801558a6635c459163f39320c095

SHA512
c969ba8863df6ef255cdce3a5a69a68e41b90367d2b1f1b065685a483ab298b78f1e38b2bc62afea83421c62a5fd2d46a7e8e47c206e3a7e3d60259893a3fa78

Download Submit
C:\Windows\SysWOW64\Hckjacjg.exe

Filesize
1.1MB

MD5
ba5aaf5b9564e1e4cd17e5fb13de3648

SHA1
b8a4a11e271f03c8d1a72e5aabce70ff1429f382

SHA256
32ae949d5f7e649bdd0a13c0c12ba0d908377e25930d8e177337f449cf80897d

SHA512
546081f94e7ac382abe03783ce0daa8b2a958ee2f6cc5b824d9a3aac2264f16dceed41c6d9279b019758e7dcaff4d3fba8b51e8c974baf6945081bf8bfa8bd7d

Download Submit
C:\Windows\SysWOW64\Helfik32.exe

Filesize
1.1MB

MD5
a010ab42602657ad7a3558c3615604d0

SHA1
0fc8f130e5dbdaa46be9c666e111a13cb6fc1fe9

SHA256
2347874417f65728cdb9386e3652136208c40d5d71f12822469dae4f08d0b576

SHA512
114eeaf3264fcb46e8554d518af65d8de844537de8c20aeeab6f293d8f3d7467db3d7e476acb57c56d8b00d059f2170a47a1b13da8036a5c576341b3babcfa33

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
1.1MB

MD5
2c65bd30f7e5353cc4e4d08310c61c5b

SHA1
3315ba2ceca820ada72bb7b806f4a2433c06d0ff

SHA256
1f5ee84f8c6843824c50b1551311238e830d49f829a6ebc3ed5c04beae6557a4

SHA512
b70fd643ae136d407427191f71cc55ad16945e8ab9dace008d29d37ed4c12501cfcf2dc32b45b2e07d46984349f90313b865a948e7fcb8713fc8d59af5aa25cb

Download Submit
C:\Windows\SysWOW64\Hfifmnij.exe

Filesize
1.1MB

MD5
dcc7709b916ccecbf6dae499ce012bf3

SHA1
0ecbfce448214ebdef32ad7e3310b9e950133876

SHA256
deb087e29037f8e5a8348f455094a3e1e427005d1434f2100dd5005ed41fd488

SHA512
ef9eb1ff19a9efe3c9ba0be9d397dfafd23581df40cc43ecc51206a2578c38345da7569512f8970367ee6b2afe7f86573e7d168b89cb96e70ca0618da2c59ba3

Download Submit
C:\Windows\SysWOW64\Hiefcj32.exe

Filesize
1.1MB

MD5
099c82e7d7fc31a96170192d2bd88cf0

SHA1
b2d75a9d1bc11d912a892e14cf88997a51f798e5

SHA256
4276a132747afd3b5d8c6037b653d6fb4e6ce79b9e7ef0003de5aa6decc54b97

SHA512
cf693c9f85c063d627218f8a7364957d6fb71824926298575a0dcd25495ed0fffb137ef5bc731ee70f5421ba25a23c11f4e197f59a9cbb1c3b5b742f2961f129

Download Submit
C:\Windows\SysWOW64\Hihbijhn.exe

Filesize
1.1MB

MD5
8af008be6077fae01f3e62335b702d24

SHA1
fb055f920d486d6fc948bcee1b0710081e93d97e

SHA256
e41ee36319711d3a67afffba281018c25cad124d5de360bd3bfda20173a2ae53

SHA512
a628055b5c60edb1e4836bab8829f2b2a9afb5cfcd63e4e536c72baa5e49ada322b38dea3ee3afadbbce15c9cd9766d17bd7ab9911e2fbfa93e7b1555af49843

Download Submit
C:\Windows\SysWOW64\Hijooifk.exe

Filesize
1.1MB

MD5
395087bc91fe2efde2cda266509b3b31

SHA1
30baf93f3ca9b7582960b34c834146f94c2c41ee

SHA256
e74b0c1cd46a2672e81a67c2750c506cff4d99d85d0775b5bbd65a8691e6d52f

SHA512
e3798a7dd5c398715c00d2ed7337af3ff39bbaec2b9f6616846e5033f0008de905138da1b8386ed6e72e226afb01f55ca50ddfaa71f9d3f05ad97da8d11788c0

Download Submit
C:\Windows\SysWOW64\Hkfoeega.exe

Filesize
1.1MB

MD5
bbc5aac07d29ca13546a9fd42b662020

SHA1
a41f0f355d60f36fc7f7b2421536d050ec596b0f

SHA256
1680044de59e9b7e0889ec57450655ef4e21744a3a86e4cbbccbfb5658ba313c

SHA512
4c5e68416ff94949df25e8ca89d8c586059efd0b714a150a29f0f2c8b22f3c2c483ead6ca16d5c214d367ff7f1e1183dcdc437580c791423ede6c36c98e512c6

Download Submit
C:\Windows\SysWOW64\Hmabdibj.exe

Filesize
1.1MB

MD5
667708cf841351c0718f2afb657ea27b

SHA1
7601938a274cfa7e21ab991701f2b00ec08f3c73

SHA256
eb292b74681f8271da101846bf11827d1275968a430b12fe8014223ca5bf4bd2

SHA512
469cc5f7cb57fb8f5174584747e445e185677516c314e83fd1aef18bc48d94bb29ee5e8c2c3bd047ba528c570cefa3c88116ce9bf63143222d2c6dcc41796665

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
1.1MB

MD5
801e6baba46b8f550d691861748c767c

SHA1
5013584226d3cf9170fe02907f6f0806a9bcd79c

SHA256
3928ce7485c7a2dc983b81b5b4e2157626bc3df51f987f85f12cbc06aa2130a7

SHA512
cbe2baddde18a36510ccd73d4a39f42b5f908058ddf19bf8e55257bc9e43ca86bf719cdeb443de5ae1f695938a3316fea848fab396fbebb71f1f28e33c4800e8

Download Submit
C:\Windows\SysWOW64\Hopnqdan.exe

Filesize
1.1MB

MD5
beb8d000a15dfbb9d19f036be5bf40e2

SHA1
910a8c00e986952882597860a0063537342a322a

SHA256
b08d3f0632f266d026c2465a1e6f40ea3863f00b38e2f72aa20b45882351d833

SHA512
2a26a2a07e425875eb8cc507156ac44ae1f1b651cd1189ea3467f838beb5c7f11bc71ed2b88979e0fec53ef96ecf5ea1d8ccfe9bb922bd821123cb81bc85e0b8

Download Submit
C:\Windows\SysWOW64\Ijmanlfp.dll

Filesize
7KB

MD5
c57e0ce12ee710c1e7a13228d9f79ec3

SHA1
856d8f93d90e8b87e0605561868136407cebc6a6

SHA256
a7f156a0474e788032e578eef7726f27807acdc34a029b4450e9524c2e6f428d

SHA512
ee165229f3dea6df6b200dd14686c0265a4c307c59b6c26e8efe61793b0d33f8f786d88f93c39c5919ff6eaa63199de78a66622906510bfe103d47b0baf3a448

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
1.1MB

MD5
309d01ebd674af18911cd60895811e40

SHA1
e5dae42626dc2ccb0c489151a64d33bc4e95e8b8

SHA256
e67f52b5aa142ff5083e1e797b7ebd0bc33bb4226feb8054c08548cb40d9a046

SHA512
0badd7f02a6edc2a5d4ab7b04f78c599d4dd061df198aefee533e666b11329a11271a671d1b2d6ff1f8718cae41d5d21141b5931693282571c28c58944b42a22

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
1.1MB

MD5
5031c298badb2402b9039d87c9a6ce86

SHA1
d5990b4c86a95c22e96d703ff23b923a3479dbdb

SHA256
afa60a352af0d2d2598d311c31146023b99e849740efec4093a6071c944c5488

SHA512
f4f0c3cd5b78b0c88f94c895b7d6a7a5fc3129a2001c8c3359cece8c9a9cf65aeaf7bc10c8c759386b97af2f40288b5c706ed3a6807bb7165fb643ca616e0dfa

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
1.1MB

MD5
938a5f83d8107d3e83cde110165d0172

SHA1
6e30ba80c5434f88ef2b4c51dffd078d63fe0cd2

SHA256
cfce1d9b138d243fbecf3513642547ddd7769b6014c83f31d45911d64f2b813d

SHA512
d563b5cbb1230285d07274fb84c7bcd8ba97dc9dc298e89d1c98ceb98c6c9dc9065f262cc4cf4ae2433c2853dade4b61ddf10edb2c81ab40ce98a033a9f04a09

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
192KB

MD5
3bb3172a9cb00b0da4f0a0fdce822d1e

SHA1
7cd4e0ccdb62164b7f7c2ea1e42f5585a95161bd

SHA256
47b019e1335dd1b187aaced58a1bca2027e8219c1f82b6f3b85c1af55881eedc

SHA512
62f6828b4b78d7e810a417d50800b6365e2c00d364da458e3318e172267898bb759cb197183a3cb62061322de5539aa50650ffabd8667b16b43bec9e9097721f

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
1.1MB

MD5
62ab89d639defd2b819c492aef2ba97e

SHA1
98cd00b044e4c3a78ec3bff894d5cee3d2035a06

SHA256
006f7be115573703221b8781e68b67bf9a1277135fde4bf00d40ce4a7469f47a

SHA512
71b799c989ac5fa2eba9a2ee3ecac9964895e849c24074dd050bac78c4d7a6ec91c89286f52b595506dcea036de1ccb3460bcaa4afb5ba9201e655fed1e66be1

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
1.1MB

MD5
0a0b373dcd39349c5a594ee230881624

SHA1
66273d80b45fe51290d1730d96e86e36ccdd4239

SHA256
4e5d0f043fa8b2ad48e17b53972832cacdc9e02f3f15ea3c1e3303f9a5a9d23a

SHA512
a3c8aea8fad6ee3a2353dc26c58b1a77758459688626413e44ba6c87066e2e52921f3f75ae483c1561bac4c4ffaa4c8138331eec8cf6602c108f427012094bef

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
1.1MB

MD5
62134a086490ceaab59efe5b17352d84

SHA1
e926003b671536bfa086b133553123646ae9c366

SHA256
483cb45d82db5ac2f648db36cf113726ec933ba7cde0611a2b209464597d8cbc

SHA512
4efd80fdeeab19361c4f89d99e3c2b26fcfeccf52eca5bcdfb7c04d72947d0d76c26c83d09f4d4d051e99adc16ac650858f111bd827bd53e0db9e4c623f7af40

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
1.1MB

MD5
ca465862fc9116e5dd5973f784a8f9d0

SHA1
10f79dad0ef1ef9af09b9107f9b6caad84a34f81

SHA256
cc60cda80b38b512b6880ade00f4a7110fbc976dcf084b6829654c7e76b355d6

SHA512
d7a610863811204d87d0ac3b7f01175e35fcc0fb30d47a6f6842d9eea3cfc56bc65bb8fca262e7580fdc3c94b1e99c030b622fc531943823c914feabe5704cd4

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
1.1MB

MD5
fd80d13bcc90cb0d4423c1d64a3f327c

SHA1
c81e58c4fd951c5ae4d6cbbb4caa4930e05ec101

SHA256
e8f726113ad383315a9b67afec4369f01a0e6c7163ba307ce127a8de6755a4a1

SHA512
36c1606664808819532816ecd3fb4fba82f6c66ab999f94326f2ca2c785a10ff1b105e0b95c6532f7691650e0ff530e0760c5153058597683d1d486211587973

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
448KB

MD5
b989d9a1743bcb3c8993e30fec0981ed

SHA1
ec5e62eab0fabaef6e48f1159021f65d4a868100

SHA256
8ef451d390a9510fe88cdc0a681b477e27e1789d7a223424b26d922e3b3da5a4

SHA512
2e8dba3129e1f69faddadac42a419632b1851990242edee0c43062d65cab13a6c2e3800a3ce35ef5ec439c004144cadc4de9cdcbd28900c8f42fa5cea2646fd3

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
1.1MB

MD5
4c7a015374724ebb028a3b0faaf11851

SHA1
889d9417729e97568a01a4a662ed224763177c0b

SHA256
4d2b4dedc68cd145eb2e59913a7f1fb056a8b68a8fe59e1b6b1cca90755c9f42

SHA512
ed1d8e63fd1ef3ea6ec187d176a051a2142dc75a15aeb05ebbe08b38c3c3449c8e91decc5ae31a2273c05f3e50ab1fac378e6aed2d16aaaca966fde2a1c908cc

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
1.1MB

MD5
1b5b04254746f8a32529d0f143950aaf

SHA1
55a8102c5b6d13bfb855103843d57ea1470a1065

SHA256
6025e202507cc0be5de3e90b68bbe4b7933e4aa04f3cf2ed874a22eae28d44cd

SHA512
c9d14e47c31dbff90a5044d25fd7acc5c2f856ca60d8936bf23822d728af691584eb087c449f0c06376bea7ee9eec75f5332de75fa9ec563491c9150d9cb375a

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
64KB

MD5
4c18c8e70112e8cea5eddd7931d443c5

SHA1
6db6db6531e46aab0195bfe9aa91e93efa902c08

SHA256
b8acf2f62afacae8cd124bc58610eb0e0f04f837c7130fdd2c766b3d08065055

SHA512
e4a1453e4f8a67d0ba146442611c72e4422dbfe7a0a73a9d0d7fce72747275a48342b259e58c83ecfb753005c1e682c5b25e7a517fd3ab0351c7083b0c9b1d11

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
1.1MB

MD5
dcf05851968a32ba2496f3e61a6ce29b

SHA1
713d1bb8f6b8249352c0ecfc2da6ae2e23fac1a6

SHA256
71e93740f7f479073d760cc849781adc4e4c14c8e0753dad948b95b469f7c442

SHA512
bc11669689955156c25b5b6834c9ad461c178c793f74bd13262071a65f5b071936bdf5c1697cacc7bee3a12c3c0ecfe445f0357fd16495dbfa64c694f9753c77

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
256KB

MD5
1702db6b851c8f1a88bbae4b7b877be4

SHA1
56819a129cfac1dccfca30216f240193eb22c0a2

SHA256
9cd463d1b6afc31409d91a0a40322e1068ec9ce566d6718438dd59405254408a

SHA512
e65610d9d62e25be9744ea431a0d27245ee893852ac33701e36804bba34afde0419c13229114317062c7929b0852cacf7ff9acbed327cd724ad590fed9b5cacb

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
1.1MB

MD5
aff892c4c14edbcd34608aa3e8e74067

SHA1
5c24bc6beb5b4d87eea162cac0c82fb9d874b422

SHA256
e61d7a86218760deb786680cea8f5bd0aed1af0ecff2f570fc3c85ca6d0c4c49

SHA512
800a182fdf5c5b8c4c76f473910586362fa4acebe2ffb9c5f57978a31efdd513078d1c6e16609fcaa024a44ba1dbe90704ef8c18db5488a0850ba3a85d04c59c

Download Submit
memory/60-331-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/540-268-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/644-440-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/672-282-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/808-476-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/828-524-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/832-415-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/976-156-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/976-63-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1032-148-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1044-494-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1164-324-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1224-367-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1444-506-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1612-313-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1616-379-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1640-227-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1640-135-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1660-147-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1660-55-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1672-373-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1720-219-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1912-452-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2012-409-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2016-361-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2020-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2020-23-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2120-307-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2132-482-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2168-201-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2168-108-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2224-174-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2224-81-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2332-210-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2332-116-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2360-385-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2384-252-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2420-518-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2484-260-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2516-165-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2516-71-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2552-192-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2552-98-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2556-500-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2636-193-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2696-349-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2724-157-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2784-300-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2864-391-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2964-512-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3052-318-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3164-295-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3340-244-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3412-166-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3436-80-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3436-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3444-488-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3528-397-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3532-211-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3648-428-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3704-47-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3704-134-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3720-276-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3884-336-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3940-458-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3988-355-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4016-403-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4044-228-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4060-421-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4068-343-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4092-183-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4092-89-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4232-31-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4232-115-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4300-422-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4312-130-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4340-288-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4452-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4452-88-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4592-470-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4652-39-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4652-129-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4728-434-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4812-184-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4828-97-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4828-15-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4844-203-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4848-175-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4852-446-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5060-236-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5080-464-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5128-530-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5168-536-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5208-542-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5248-548-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5288-554-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads