e2ddc6a841f4d5469fc1b36d031f78e1a733b9db2e1ac394273c7776059cc1f6

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbccf06408f59b090de4a06f16a23360N.exe
Size

844KB
MD5

bbccf06408f59b090de4a06f16a23360
SHA1

68199c78255e15a284b92b5bf24e08ba81ec25d2
SHA256

e2ddc6a841f4d5469fc1b36d031f78e1a733b9db2e1ac394273c7776059cc1f6
SHA512

79e6ba27209c9ac397a6dc5a19772be55f8ee58dc6c2d124b92603353ee99fda05b24d5025e788a64d03cc7f9e52a44a003456afc7cae3016dbec429a82ae1f4
SSDEEP

24576:3joH5W3TnbQihMpQnqrdX72LbY6x46uR/qYglMi:3cH5W3TbQihw+cdX2x46uhqllMi

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koiejemn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmnnlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajodef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbkeacqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gclimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iofpnhmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iljpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmccnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfejmobh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lflpmn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbjgcnll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himgjbii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapbodql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfqjhmhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hommhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	bbccf06408f59b090de4a06f16a23360N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oknnanhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pphckb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgehml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkilbni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dilmeida.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hklglk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iljpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fblpflfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Femigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Glpdjpbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hllcfnhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iocchhof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbghpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbkbkbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmnnlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcknee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koiejemn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eimelg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhflhcfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glpdjpbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahlnefd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Komoed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohkijc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahkkhnpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Falcli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fblpflfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhiinbdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfndlphp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckoifgmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gedohfmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gedohfmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhiaepfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbieebha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfqjhmhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nieoal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmikb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbggkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Femigg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbqiak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiinoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jokiig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmikb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofheeoq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbkeacqo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hklglk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbghpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkflpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjkiephp.exe

Executes dropped EXE 64 IoCs

pid	Process
4860	Mdaqhf32.exe
4100	Mjkiephp.exe
764	Nmnnlk32.exe
2952	Nieoal32.exe
3904	Npognfpo.exe
3500	Ohkijc32.exe
4952	Okkalnjm.exe
2608	Oknnanhj.exe
1484	Ogdofo32.exe
2072	Opopdd32.exe
3252	Pdmikb32.exe
492	Ppdjpcng.exe
3464	Pphckb32.exe
3572	Qgehml32.exe
1068	Aaofedkl.exe
1648	Ahkkhnpg.exe
4616	Ajodef32.exe
2568	Akopoi32.exe
4468	Bbkeacqo.exe
3140	Bdlncn32.exe
3736	Bqbohocd.exe
944	Bgodjiio.exe
1212	Cnkilbni.exe
872	Ckoifgmb.exe
4316	Cejjdlap.exe
4740	Dbphcpog.exe
324	Dilmeida.exe
4504	Dnkbcp32.exe
1140	Dnnoip32.exe
4868	Ehhpge32.exe
4796	Enedio32.exe
828	Eimelg32.exe
4068	Elkbhbeb.exe
1620	Fbggkl32.exe
1488	Falcli32.exe
2332	Fhflhcfa.exe
1668	Fblpflfg.exe
2004	Fhiinbdo.exe
1556	Femigg32.exe
4776	Fbqiak32.exe
1872	Gklnem32.exe
3044	Gimoce32.exe
2640	Glkkop32.exe
4748	Gedohfmp.exe
3980	Gajpmg32.exe
2024	Glpdjpbj.exe
4160	Giddddad.exe
1452	Gclimi32.exe
1928	Hhiaepfl.exe
1380	Hiinoc32.exe
3376	Hcabhido.exe
940	Hklglk32.exe
1544	Himgjbii.exe
1680	Hllcfnhm.exe
2372	Hahlnefd.exe
3420	Hommhi32.exe
8	Ilqmam32.exe
3756	Icjengld.exe
2840	Ikejbjip.exe
4372	Iapbodql.exe
4500	Iocchhof.exe
2868	Iofpnhmc.exe
1352	Ifphkbep.exe
4060	Iljpgl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gqnajlid.dll	Kofheeoq.exe
File opened for modification	C:\Windows\SysWOW64\Kfejmobh.exe	Kkofofbb.exe
File created	C:\Windows\SysWOW64\Lfqjhmhk.exe	Lfnmcnjn.exe
File created	C:\Windows\SysWOW64\Npognfpo.exe	Nieoal32.exe
File created	C:\Windows\SysWOW64\Ohkijc32.exe	Npognfpo.exe
File created	C:\Windows\SysWOW64\Ojlnphpd.dll	Fhiinbdo.exe
File opened for modification	C:\Windows\SysWOW64\Icjengld.exe	Ilqmam32.exe
File opened for modification	C:\Windows\SysWOW64\Mbjgcnll.exe	Lbgjmnno.exe
File created	C:\Windows\SysWOW64\Okkalnjm.exe	Ohkijc32.exe
File created	C:\Windows\SysWOW64\Fcgpak32.dll	Ohkijc32.exe
File opened for modification	C:\Windows\SysWOW64\Bdlncn32.exe	Bbkeacqo.exe
File opened for modification	C:\Windows\SysWOW64\Kcphpdil.exe	Jbpkfa32.exe
File opened for modification	C:\Windows\SysWOW64\Bqbohocd.exe	Bdlncn32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkbkbfo.exe	Jbieebha.exe
File created	C:\Windows\SysWOW64\Jcknee32.exe	Jbkbkbfo.exe
File created	C:\Windows\SysWOW64\Kfndlphp.exe	Kcphpdil.exe
File created	C:\Windows\SysWOW64\Kbedaand.exe	Kofheeoq.exe
File created	C:\Windows\SysWOW64\Bhpjjc32.dll	Nmnnlk32.exe
File opened for modification	C:\Windows\SysWOW64\Opopdd32.exe	Ogdofo32.exe
File created	C:\Windows\SysWOW64\Fkgeam32.dll	Ppdjpcng.exe
File created	C:\Windows\SysWOW64\Qgehml32.exe	Pphckb32.exe
File opened for modification	C:\Windows\SysWOW64\Fbggkl32.exe	Elkbhbeb.exe
File created	C:\Windows\SysWOW64\Hnclfaec.dll	Hcabhido.exe
File opened for modification	C:\Windows\SysWOW64\Ikejbjip.exe	Icjengld.exe
File created	C:\Windows\SysWOW64\Kmaooihb.exe	Komoed32.exe
File opened for modification	C:\Windows\SysWOW64\Aaofedkl.exe	Qgehml32.exe
File created	C:\Windows\SysWOW64\Cnkilbni.exe	Bgodjiio.exe
File created	C:\Windows\SysWOW64\Abflab32.dll	Cejjdlap.exe
File opened for modification	C:\Windows\SysWOW64\Hiinoc32.exe	Hhiaepfl.exe
File created	C:\Windows\SysWOW64\Lonnnh32.dll	Hhiaepfl.exe
File opened for modification	C:\Windows\SysWOW64\Hhiaepfl.exe	Gclimi32.exe
File created	C:\Windows\SysWOW64\Kqiibcbk.dll	Jbieebha.exe
File created	C:\Windows\SysWOW64\Cpiinc32.dll	Opopdd32.exe
File created	C:\Windows\SysWOW64\Hjpdjplo.dll	Dilmeida.exe
File created	C:\Windows\SysWOW64\Gimoce32.exe	Gklnem32.exe
File created	C:\Windows\SysWOW64\Hklglk32.exe	Hcabhido.exe
File opened for modification	C:\Windows\SysWOW64\Jbghpc32.exe	Iljpgl32.exe
File created	C:\Windows\SysWOW64\Dabmnd32.dll	Cnkilbni.exe
File opened for modification	C:\Windows\SysWOW64\Fblpflfg.exe	Fhflhcfa.exe
File opened for modification	C:\Windows\SysWOW64\Femigg32.exe	Fhiinbdo.exe
File created	C:\Windows\SysWOW64\Afnpjk32.dll	Iocchhof.exe
File created	C:\Windows\SysWOW64\Imobclfe.dll	Koiejemn.exe
File created	C:\Windows\SysWOW64\Gmdqfa32.dll	Dbphcpog.exe
File created	C:\Windows\SysWOW64\Qjdhlc32.dll	Enedio32.exe
File opened for modification	C:\Windows\SysWOW64\Gklnem32.exe	Fbqiak32.exe
File opened for modification	C:\Windows\SysWOW64\Ilqmam32.exe	Hommhi32.exe
File created	C:\Windows\SysWOW64\Ajodef32.exe	Ahkkhnpg.exe
File opened for modification	C:\Windows\SysWOW64\Ahkkhnpg.exe	Aaofedkl.exe
File opened for modification	C:\Windows\SysWOW64\Glkkop32.exe	Gimoce32.exe
File created	C:\Windows\SysWOW64\Kpbljo32.dll	Ilqmam32.exe
File created	C:\Windows\SysWOW64\Dgagnd32.dll	Iapbodql.exe
File created	C:\Windows\SysWOW64\Mmpmel32.dll	Iofpnhmc.exe
File created	C:\Windows\SysWOW64\Pphckb32.exe	Ppdjpcng.exe
File opened for modification	C:\Windows\SysWOW64\Cejjdlap.exe	Ckoifgmb.exe
File created	C:\Windows\SysWOW64\Cmfgkihn.dll	Fbqiak32.exe
File opened for modification	C:\Windows\SysWOW64\Gajpmg32.exe	Gedohfmp.exe
File created	C:\Windows\SysWOW64\Iljpgl32.exe	Ifphkbep.exe
File opened for modification	C:\Windows\SysWOW64\Koiejemn.exe	Kbedaand.exe
File created	C:\Windows\SysWOW64\Bfgkjnai.dll	Nieoal32.exe
File opened for modification	C:\Windows\SysWOW64\Ogdofo32.exe	Oknnanhj.exe
File created	C:\Windows\SysWOW64\Ckoifgmb.exe	Cnkilbni.exe
File created	C:\Windows\SysWOW64\Dnkbcp32.exe	Dilmeida.exe
File created	C:\Windows\SysWOW64\Nfmdccgi.dll	Dnkbcp32.exe
File created	C:\Windows\SysWOW64\Fhiinbdo.exe	Fblpflfg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5492	5396	WerFault.exe	179

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmikb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajodef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnnoip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enedio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hiinoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkofofbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbccf06408f59b090de4a06f16a23360N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gklnem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gajpmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcabhido.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hklglk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iljpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbghpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbkbkbfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dilmeida.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehhpge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfqjhmhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjkiephp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgehml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elkbhbeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhiinbdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icjengld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikejbjip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iofpnhmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmaooihb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdaqhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaofedkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lopkkdgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfnmcnjn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnnlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nieoal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pphckb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkilbni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbggkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Falcli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hahlnefd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbedaand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbjgcnll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akopoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckoifgmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbqiak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npognfpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opopdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahkkhnpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhflhcfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glpdjpbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfejmobh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbgjmnno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbldhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohkijc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdlncn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Giddddad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hommhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iapbodql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfndlphp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbphcpog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iocchhof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmccnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbpkfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofheeoq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okkalnjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogdofo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppdjpcng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eimelg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppdjpcng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pphckb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhifg32.dll"	Fblpflfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hahlnefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkggfeam.dll"	Lfqjhmhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oknnanhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fhflhcfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcabhido.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilqmam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Elkbhbeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Femigg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gimoce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbpkfa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkilbni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hllcfnhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jokiig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhiddl32.dll"	bbccf06408f59b090de4a06f16a23360N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfgkihn.dll"	Fbqiak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbkbkbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kofheeoq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfkoaf32.dll"	Kbedaand.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbjgcnll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqbohocd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchknl32.dll"	Fhflhcfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhiaepfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eimelg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phfmod32.dll"	Ikejbjip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofbggpf.dll"	Jbkbkbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abejiq32.dll"	Kfndlphp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaohkjak.dll"	Aaofedkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehhpge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcknee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkofofbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckoifgmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjnlnaiq.dll"	Dnnoip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gclimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmacl32.dll"	Hiinoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkflpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnglpdin.dll"	Qgehml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnkbcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbedaand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdlncn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fblpflfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmaooihb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lopkkdgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbgjmnno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcgpak32.dll"	Ohkijc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hiinoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npognfpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfkbkibi.dll"	Gklnem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmnnlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogdofo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpiinc32.dll"	Opopdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Glkkop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflcnqal.dll"	Gajpmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hllcfnhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcabhido.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbieebha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfqjhmhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Okkalnjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmijkj32.dll"	Bgodjiio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abflab32.dll"	Cejjdlap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dilmeida.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gajpmg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 4860	2312	bbccf06408f59b090de4a06f16a23360N.exe	91
PID 2312 wrote to memory of 4860	2312	bbccf06408f59b090de4a06f16a23360N.exe	91
PID 2312 wrote to memory of 4860	2312	bbccf06408f59b090de4a06f16a23360N.exe	91
PID 4860 wrote to memory of 4100	4860	Mdaqhf32.exe	92
PID 4860 wrote to memory of 4100	4860	Mdaqhf32.exe	92
PID 4860 wrote to memory of 4100	4860	Mdaqhf32.exe	92
PID 4100 wrote to memory of 764	4100	Mjkiephp.exe	93
PID 4100 wrote to memory of 764	4100	Mjkiephp.exe	93
PID 4100 wrote to memory of 764	4100	Mjkiephp.exe	93
PID 764 wrote to memory of 2952	764	Nmnnlk32.exe	94
PID 764 wrote to memory of 2952	764	Nmnnlk32.exe	94
PID 764 wrote to memory of 2952	764	Nmnnlk32.exe	94
PID 2952 wrote to memory of 3904	2952	Nieoal32.exe	95
PID 2952 wrote to memory of 3904	2952	Nieoal32.exe	95
PID 2952 wrote to memory of 3904	2952	Nieoal32.exe	95
PID 3904 wrote to memory of 3500	3904	Npognfpo.exe	96
PID 3904 wrote to memory of 3500	3904	Npognfpo.exe	96
PID 3904 wrote to memory of 3500	3904	Npognfpo.exe	96
PID 3500 wrote to memory of 4952	3500	Ohkijc32.exe	97
PID 3500 wrote to memory of 4952	3500	Ohkijc32.exe	97
PID 3500 wrote to memory of 4952	3500	Ohkijc32.exe	97
PID 4952 wrote to memory of 2608	4952	Okkalnjm.exe	98
PID 4952 wrote to memory of 2608	4952	Okkalnjm.exe	98
PID 4952 wrote to memory of 2608	4952	Okkalnjm.exe	98
PID 2608 wrote to memory of 1484	2608	Oknnanhj.exe	99
PID 2608 wrote to memory of 1484	2608	Oknnanhj.exe	99
PID 2608 wrote to memory of 1484	2608	Oknnanhj.exe	99
PID 1484 wrote to memory of 2072	1484	Ogdofo32.exe	100
PID 1484 wrote to memory of 2072	1484	Ogdofo32.exe	100
PID 1484 wrote to memory of 2072	1484	Ogdofo32.exe	100
PID 2072 wrote to memory of 3252	2072	Opopdd32.exe	101
PID 2072 wrote to memory of 3252	2072	Opopdd32.exe	101
PID 2072 wrote to memory of 3252	2072	Opopdd32.exe	101
PID 3252 wrote to memory of 492	3252	Pdmikb32.exe	102
PID 3252 wrote to memory of 492	3252	Pdmikb32.exe	102
PID 3252 wrote to memory of 492	3252	Pdmikb32.exe	102
PID 492 wrote to memory of 3464	492	Ppdjpcng.exe	103
PID 492 wrote to memory of 3464	492	Ppdjpcng.exe	103
PID 492 wrote to memory of 3464	492	Ppdjpcng.exe	103
PID 3464 wrote to memory of 3572	3464	Pphckb32.exe	104
PID 3464 wrote to memory of 3572	3464	Pphckb32.exe	104
PID 3464 wrote to memory of 3572	3464	Pphckb32.exe	104
PID 3572 wrote to memory of 1068	3572	Qgehml32.exe	105
PID 3572 wrote to memory of 1068	3572	Qgehml32.exe	105
PID 3572 wrote to memory of 1068	3572	Qgehml32.exe	105
PID 1068 wrote to memory of 1648	1068	Aaofedkl.exe	106
PID 1068 wrote to memory of 1648	1068	Aaofedkl.exe	106
PID 1068 wrote to memory of 1648	1068	Aaofedkl.exe	106
PID 1648 wrote to memory of 4616	1648	Ahkkhnpg.exe	107
PID 1648 wrote to memory of 4616	1648	Ahkkhnpg.exe	107
PID 1648 wrote to memory of 4616	1648	Ahkkhnpg.exe	107
PID 4616 wrote to memory of 2568	4616	Ajodef32.exe	108
PID 4616 wrote to memory of 2568	4616	Ajodef32.exe	108
PID 4616 wrote to memory of 2568	4616	Ajodef32.exe	108
PID 2568 wrote to memory of 4468	2568	Akopoi32.exe	109
PID 2568 wrote to memory of 4468	2568	Akopoi32.exe	109
PID 2568 wrote to memory of 4468	2568	Akopoi32.exe	109
PID 4468 wrote to memory of 3140	4468	Bbkeacqo.exe	110
PID 4468 wrote to memory of 3140	4468	Bbkeacqo.exe	110
PID 4468 wrote to memory of 3140	4468	Bbkeacqo.exe	110
PID 3140 wrote to memory of 3736	3140	Bdlncn32.exe	111
PID 3140 wrote to memory of 3736	3140	Bdlncn32.exe	111
PID 3140 wrote to memory of 3736	3140	Bdlncn32.exe	111
PID 3736 wrote to memory of 944	3736	Bqbohocd.exe	112

C:\Users\Admin\AppData\Local\Temp\bbccf06408f59b090de4a06f16a23360N.exe
"C:\Users\Admin\AppData\Local\Temp\bbccf06408f59b090de4a06f16a23360N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\Mdaqhf32.exe
  C:\Windows\system32\Mdaqhf32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\SysWOW64\Mjkiephp.exe
    C:\Windows\system32\Mjkiephp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Windows\SysWOW64\Nmnnlk32.exe
      C:\Windows\system32\Nmnnlk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:764
    - - C:\Windows\SysWOW64\Nieoal32.exe
        
        C:\Windows\system32\Nieoal32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\SysWOW64\Npognfpo.exe
        
        C:\Windows\system32\Npognfpo.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Ohkijc32.exe
        
        C:\Windows\system32\Ohkijc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Okkalnjm.exe
        
        C:\Windows\system32\Okkalnjm.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Oknnanhj.exe
        
        C:\Windows\system32\Oknnanhj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Ogdofo32.exe
        
        C:\Windows\system32\Ogdofo32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Opopdd32.exe
        
        C:\Windows\system32\Opopdd32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Pdmikb32.exe
        
        C:\Windows\system32\Pdmikb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Ppdjpcng.exe
        
        C:\Windows\system32\Ppdjpcng.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Windows\SysWOW64\Pphckb32.exe
        
        C:\Windows\system32\Pphckb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Qgehml32.exe
        
        C:\Windows\system32\Qgehml32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Aaofedkl.exe
        
        C:\Windows\system32\Aaofedkl.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Ahkkhnpg.exe
        
        C:\Windows\system32\Ahkkhnpg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Ajodef32.exe
        
        C:\Windows\system32\Ajodef32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Akopoi32.exe
        
        C:\Windows\system32\Akopoi32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Bbkeacqo.exe
        
        C:\Windows\system32\Bbkeacqo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Bdlncn32.exe
        
        C:\Windows\system32\Bdlncn32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Bqbohocd.exe
        
        C:\Windows\system32\Bqbohocd.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Bgodjiio.exe
        
        C:\Windows\system32\Bgodjiio.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Cnkilbni.exe
        
        C:\Windows\system32\Cnkilbni.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Ckoifgmb.exe
        
        C:\Windows\system32\Ckoifgmb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Cejjdlap.exe
        
        C:\Windows\system32\Cejjdlap.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Dbphcpog.exe
        
        C:\Windows\system32\Dbphcpog.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\Dilmeida.exe
        
        C:\Windows\system32\Dilmeida.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\Dnkbcp32.exe
        
        C:\Windows\system32\Dnkbcp32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Dnnoip32.exe
        
        C:\Windows\system32\Dnnoip32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Ehhpge32.exe
        
        C:\Windows\system32\Ehhpge32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Enedio32.exe
        
        C:\Windows\system32\Enedio32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Eimelg32.exe
        
        C:\Windows\system32\Eimelg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Elkbhbeb.exe
        
        C:\Windows\system32\Elkbhbeb.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Fbggkl32.exe
        
        C:\Windows\system32\Fbggkl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Falcli32.exe
        
        C:\Windows\system32\Falcli32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Fhflhcfa.exe
        
        C:\Windows\system32\Fhflhcfa.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Fblpflfg.exe
        
        C:\Windows\system32\Fblpflfg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Fhiinbdo.exe
        
        C:\Windows\system32\Fhiinbdo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Femigg32.exe
        
        C:\Windows\system32\Femigg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Fbqiak32.exe
        
        C:\Windows\system32\Fbqiak32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Gklnem32.exe
        
        C:\Windows\system32\Gklnem32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Gimoce32.exe
        
        C:\Windows\system32\Gimoce32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Glkkop32.exe
        
        C:\Windows\system32\Glkkop32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Gedohfmp.exe
        
        C:\Windows\system32\Gedohfmp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Gajpmg32.exe
        
        C:\Windows\system32\Gajpmg32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Glpdjpbj.exe
        
        C:\Windows\system32\Glpdjpbj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Giddddad.exe
        
        C:\Windows\system32\Giddddad.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\SysWOW64\Gclimi32.exe
        
        C:\Windows\system32\Gclimi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Hhiaepfl.exe
        
        C:\Windows\system32\Hhiaepfl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Hiinoc32.exe
        
        C:\Windows\system32\Hiinoc32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Hcabhido.exe
        
        C:\Windows\system32\Hcabhido.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Hklglk32.exe
        
        C:\Windows\system32\Hklglk32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\Himgjbii.exe
        
        C:\Windows\system32\Himgjbii.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\Hllcfnhm.exe
        
        C:\Windows\system32\Hllcfnhm.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Hahlnefd.exe
        
        C:\Windows\system32\Hahlnefd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Hommhi32.exe
        
        C:\Windows\system32\Hommhi32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\Ilqmam32.exe
        
        C:\Windows\system32\Ilqmam32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Icjengld.exe
        
        C:\Windows\system32\Icjengld.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Ikejbjip.exe
        
        C:\Windows\system32\Ikejbjip.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Iapbodql.exe
        
        C:\Windows\system32\Iapbodql.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\Iocchhof.exe
        
        C:\Windows\system32\Iocchhof.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Iofpnhmc.exe
        
        C:\Windows\system32\Iofpnhmc.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Ifphkbep.exe
        
        C:\Windows\system32\Ifphkbep.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1352
        
        C:\Windows\SysWOW64\Iljpgl32.exe
        
        C:\Windows\system32\Iljpgl32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\Jbghpc32.exe
        
        C:\Windows\system32\Jbghpc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\Jokiig32.exe
        
        C:\Windows\system32\Jokiig32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Jbieebha.exe
        
        C:\Windows\system32\Jbieebha.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Jbkbkbfo.exe
        
        C:\Windows\system32\Jbkbkbfo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Jcknee32.exe
        
        C:\Windows\system32\Jcknee32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Jmccnk32.exe
        
        C:\Windows\system32\Jmccnk32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\Jbpkfa32.exe
        
        C:\Windows\system32\Jbpkfa32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Kcphpdil.exe
        
        C:\Windows\system32\Kcphpdil.exe
        73⤵
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Kfndlphp.exe
        
        C:\Windows\system32\Kfndlphp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Kofheeoq.exe
        
        C:\Windows\system32\Kofheeoq.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Kbedaand.exe
        
        C:\Windows\system32\Kbedaand.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Koiejemn.exe
        
        C:\Windows\system32\Koiejemn.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\Kkofofbb.exe
        
        C:\Windows\system32\Kkofofbb.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Kfejmobh.exe
        
        C:\Windows\system32\Kfejmobh.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\Komoed32.exe
        
        C:\Windows\system32\Komoed32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\Kmaooihb.exe
        
        C:\Windows\system32\Kmaooihb.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Lopkkdgf.exe
        
        C:\Windows\system32\Lopkkdgf.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Lkflpe32.exe
        
        C:\Windows\system32\Lkflpe32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Lflpmn32.exe
        
        C:\Windows\system32\Lflpmn32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Lfnmcnjn.exe
        
        C:\Windows\system32\Lfnmcnjn.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Lfqjhmhk.exe
        
        C:\Windows\system32\Lfqjhmhk.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Lbgjmnno.exe
        
        C:\Windows\system32\Lbgjmnno.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Mbjgcnll.exe
        
        C:\Windows\system32\Mbjgcnll.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Mbldhn32.exe
        
        C:\Windows\system32\Mbldhn32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 412
        90⤵
        Program crash
        
        PID:5492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4340,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4480 /prefetch:8
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5396 -ip 5396
1⤵
PID:5468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaofedkl.exe

Filesize
844KB

MD5
a3f1177bd9364cf1ad03f2a28e7eb0c0

SHA1
6c55fb449a75a04b4aabeb813fdb7052d728fd20

SHA256
dfdae96d6f53b2e2141e34f4fa24ecc887c9134bf1103accb348548e12daf089

SHA512
8427d9fab2a53769bb28210495a0a00b56e1061a486647abcf6fd41521ef2a03cd142b69d460760f256132d464e3567ecd00437bac74a6cafec6e0682e908236

Download Submit
C:\Windows\SysWOW64\Ahkkhnpg.exe

Filesize
844KB

MD5
af1438671fccf95f1b95992224061169

SHA1
4f90d572e7c9c272d5e3d5a7cf2ed512b6fd13db

SHA256
4c468d8d620954288b1c55be00d1233d66d0fbf3199b52f77510f672c51aad2b

SHA512
341a846a012868064438852c64f0142e3865f43ac46c869cac75b467360ddec93cd149b53d83e9bb619ddd2316698421cd299d909cd431bff0b50484929dd2fe

Download Submit
C:\Windows\SysWOW64\Ajodef32.exe

Filesize
844KB

MD5
2a6b5ee0e2e83de0bf67a51137315ffb

SHA1
813cdf0f0ae52835d734525beb564bbcca034589

SHA256
895e9dafd366c88603d4d691b0ecfb71c7c36142539b868fcddeed42264531b3

SHA512
cc12425611162733fd2ac7a767d0e93332b3c5fc417e0882e57097e0facb8e30e103d5071d44968a877681e0820ab367aa06bf52452b846e812e86bcc51572ef

Download Submit
C:\Windows\SysWOW64\Akopoi32.exe

Filesize
844KB

MD5
057022a38a13c0a322095aeaccf1c414

SHA1
424168fee51572bf775a758335d078250c4e51dc

SHA256
7c11f7771e3b0845a4acd893a40fb24cf6a0cf98d64ebe7c45d4f9d62dd957b1

SHA512
af2d3d4914af0151b590e3206a32bed568cf6d275643efbc103cd18dd0d6d622df26ce060064553c719381808a2f3daa852df9ed87b7b839aa91a858e72c2213

Download Submit
C:\Windows\SysWOW64\Bbkeacqo.exe

Filesize
844KB

MD5
17ed1bf9d028c00c24b74213d4ae5699

SHA1
230f9c003dc5eb189e55a086d37abdaf50a92d16

SHA256
e5d0cf4a1d00d22e5bcaf5a48d80e17354f476a9c24e8fe68393104b51e929c6

SHA512
d2f8bb85844805597e63b0814491ad189f8f6e158aed7ba846cfba82e4f8b6c67d1adcb67fa858fb20e6c4524f4dd2816e74e37f58ea3ebe2851c60e81f94e82

Download Submit
C:\Windows\SysWOW64\Bdlncn32.exe

Filesize
844KB

MD5
c45313b7421c0a08768a8a1f82acfbba

SHA1
e4d0a85969d35514caebcf1fe6f268909f5359e3

SHA256
e1d8ccf5506c0c2c0314ffbda9124cf74c429989ebe867f8d47c4a4fdcab47b2

SHA512
5dd562156e220cf90837a480eebe7228bd1162fcc1ac6f4b0b2fae385205f68aa6e4d621f0663b8640c50c8a4b516059d18ec5ef0455c36ac5154d339480f462

Download Submit
C:\Windows\SysWOW64\Bfgkjnai.dll

Filesize
7KB

MD5
823a31a751cc8b24fc0a70ac822bd67e

SHA1
bb09b4c31a89ae6639edd324961c5d5a90f9d9c6

SHA256
101bfdf1490f1148e3b32413525efc1d2f8dfcc5ab5ab2b796aa17153d3c5bf9

SHA512
8b8bf477d5fe1ed02d12f9579c0a38769049089125b74ea28067193b0cf61c0df4c5c87cf403d1c5387f106b7a8942f991bcb1335349221d553d7935f55ffae1

Download Submit
C:\Windows\SysWOW64\Bgodjiio.exe

Filesize
844KB

MD5
03137478059a23614aded4f963558bfd

SHA1
527b57bbb5743ec1d18a423d597ee29d9cd397fc

SHA256
83cfc982bfc0339fe6118bcf938637281acb4c18785220c8e8f68a8f7e232b4b

SHA512
928c17457e6a5649077ee4961c6be2d4ed61e69af30a77135ad7499f670e5a1eba6a32ecc0ee37f40fd2d195c97b5222fe5e9cbce90ebe7d2e86858ee8e9e4bb

Download Submit
C:\Windows\SysWOW64\Bqbohocd.exe

Filesize
844KB

MD5
8a0486b22dfa3648f1be4fb6a49b1390

SHA1
5b79154b3516289237d58a1b57439d6c86688d4a

SHA256
40dd10e3a8c87bbd0a66f3c92a88ada6b78634df8f330afe2b12f9c73a4f5deb

SHA512
54e031094ca225ffecf751010b3decac78fc641ca06326b1102399ce1df72572fb0788ad498348a3ca68a4c78d9004ae6ded4054155ce8cb98e63c11fad14c4f

Download Submit
C:\Windows\SysWOW64\Cejjdlap.exe

Filesize
844KB

MD5
f694e06e7fe48fd0cf29954af9ec463d

SHA1
f9ba078d8f997149791dec06beeb95babce263f7

SHA256
13b0c9c3539f824f62b947b836a74b3118ca56c4a02a0ff0ee0e0e8915758949

SHA512
a9d1996822ff063917189e6456b05cfb217437e8c93898d1961a6520bab866f0cb380fcd42a9d15196db4b56709b544691c499486537181483db2394e5c10b7c

Download Submit
C:\Windows\SysWOW64\Ckoifgmb.exe

Filesize
844KB

MD5
91d8bd2f3b9d0e6b5082f000ac1dc117

SHA1
2c15e45ce05dab2ada495c9a8d4bdf7a7c043a3f

SHA256
d69dfdf0b5f5f7ea68108deb654f8d11ecf3cdd7afa1c8eb47a81ee3908fccc1

SHA512
23a420e77350635a5a78776a024a83fe38a58b9900ef79a0ccaf4964e35651c7402752386ac197feba370342f09778bbb238493bcc5e5b58d9b60b90e8d626a0

Download Submit
C:\Windows\SysWOW64\Cnkilbni.exe

Filesize
844KB

MD5
8f6fb838c18ef2ba4104c2046f29f096

SHA1
ec5865c2d72148af43000d62c87739138ba91ff3

SHA256
48a19398efbc4a9dbd304e7c4e78c7240e022009569b02eb80dd85c441fc75a2

SHA512
65cc69dd3ea10195b34fe0b3f2a6b9213896358e40db11788464dcde74650950bd2a744ebe119e4c95d158b4842e3b45dfda7bc9a7b9fe1c9faaa776ac7c7340

Download Submit
C:\Windows\SysWOW64\Dbphcpog.exe

Filesize
844KB

MD5
d26f67c3778b998372024188aed157cb

SHA1
1fc30b98547bcec8008e616241f5c58158168164

SHA256
ac61a2c78579d2cd09613127da6a9f1d744755ad6dd450a9c580ad5c6f92135c

SHA512
c39c6c8472014619e05030faa03097d15e6116dd5263e0360fec3633f92cf2a9f4f2d7791d9318ef2f5bcf27cf0fd9f13f1aad8ec94f650dd990cb808a25ecb9

Download Submit
C:\Windows\SysWOW64\Dilmeida.exe

Filesize
844KB

MD5
23f2d9c5e8b98d71d1f0e6d575c628bb

SHA1
ef12712343e0f72169a26301782f9f382ba7f75d

SHA256
9ab690ad0eb8ab5637387342e2114fe5bafab324c637a442cd0fca390da7b892

SHA512
4b67dec03d1edd94df30a98e3d49776bf4d14cc453f2e3235bbe16d5958b5695011410448f32ae3c3fdbdd267212e46f1209768b152997683292af843a1e0107

Download Submit
C:\Windows\SysWOW64\Dnkbcp32.exe

Filesize
844KB

MD5
b99b291ce95f2a7b1e97b63da02d2956

SHA1
672fba529273c30ffa18811ad991b1b40731be64

SHA256
82020053bc4b4c4b2937faf3a2f53dcdb828f0398bff505beee0e17cdbe1a4b6

SHA512
f31887fe46ea16172dd9df9dacb89bd55dfffb72ff003e781e41f791887f7ab7894cdee16474e3916ffd41a7370ba04d2f0473680c082a0d911e56b92e96b476

Download Submit
C:\Windows\SysWOW64\Dnnoip32.exe

Filesize
844KB

MD5
e9bf44987eaacdbec38c281d88258b72

SHA1
e8306a273997e8c95f9d934cab041847dfdefd87

SHA256
0ecdf80d2fe5a29f9f2b291430d3875141c396969d92193d86e7cfe1bc4f1b7a

SHA512
84b6bf7cdc2c96bfcc9f395071c7fafe085c6c1ad87f23319b4ee1013cf2bac328451bd56ba4707226b0a0965aad8be540baaee7810afd67ef9389eede32cdbf

Download Submit
C:\Windows\SysWOW64\Ehhpge32.exe

Filesize
844KB

MD5
dd16e903a4538cbfaee43ad025e0311e

SHA1
d1f1bc1c1ce59e27db6bbdca1f6659e7c17914de

SHA256
7dc71afb306859b92902e9007313707fc878d9720ba0b96d96a5acf517f4fb8d

SHA512
9376894c0e462a0282ae23c936ffe9b3fb41755a14e38e63769bce1e352e325d2914d5c27fd238c4685ceb1830b2bf1d990bc268cdb6c0d6c76ae24f26755726

Download Submit
C:\Windows\SysWOW64\Eimelg32.exe

Filesize
844KB

MD5
ec92411f89a8db5e8b4053dbc58cb026

SHA1
5dcb22e36a36ffc2852033b743d9aaa372c9fb40

SHA256
5e59d2834075bff544f9d279f356aa13b50d55b2402bc6f3bb3130d619cab1f8

SHA512
c4bec63ac5257f3aa3ff3aaae7fc92704116f89cf6dd28567675632e1c988d7982640363a8a9641a7a2860ac955109a2ab4a0f595cb4b8c9ba447b614bd18a84

Download Submit
C:\Windows\SysWOW64\Enedio32.exe

Filesize
844KB

MD5
fb8264d75b7d01e292e3642da8ae896a

SHA1
50a9ccd4cdd88f307f4874f730d390e196b9d7b9

SHA256
f305066336153687a64250f2c10f6f81f514684534d9a7905fbfd3875316c056

SHA512
2737dbc8f1ed6b9118e727dfdba5cb17413200791f8a27f6088255e1725eb770c2f48edbfd4d0d4f54785890f31e0cb64bc950c30b03319ce81bc48f3984a273

Download Submit
C:\Windows\SysWOW64\Fbggkl32.exe

Filesize
844KB

MD5
73134e909871d2916d58a419e307caf4

SHA1
cb9437ebc0b8d2af6b643993e59580afbd899746

SHA256
aadf9881c24272004e1cda9304e45d2f46d5d5e4dee8d5a6fcf4a94238f61b3c

SHA512
3f600513ebc141a18327ec681651d68f05041239ac0c5d7761f8e0e908d7fa5d493a21b17702314d82ec6a106ce43865b717f4b630d46b61ad3c3b3faf9395a9

Download Submit
C:\Windows\SysWOW64\Fbqiak32.exe

Filesize
768KB

MD5
11fb8716da643ee20f56efa5f11501ae

SHA1
7cca3252fb9293ae0c4dfdb406b2d461650281f7

SHA256
734fff97fe8c922548e8e5468fbbcc46a3ec581160bb93de8e13ec477f00bcb6

SHA512
5850209aa970243ebfdc41396bdb3448827d6c72e126678ed142714327e5ad22ff9e2ead455ae86e7b2e2ce2f5268a2c6bdf008c762db30705ff86122816ccaf

Download Submit
C:\Windows\SysWOW64\Fhiinbdo.exe

Filesize
844KB

MD5
791172bdd18d8d0cd2e0b5a15aa6f636

SHA1
fad1b27bb77eca4f46f4da1859d4e49726eb2f50

SHA256
98f0a67116e7479895b7e35c5bfd580e0ee49214ab57d4497e436fef2f18b308

SHA512
d529d9a08ad608fc50daee99c26a5fc87385fff60d8f661be747e64e6a8762952bb18aa093f71344f7c6d77a8b8e80ccefb03fbb46d49256127cf5b184717f51

Download Submit
C:\Windows\SysWOW64\Gajpmg32.exe

Filesize
844KB

MD5
1f7f9ed1cb9de4410528ddd1b6afffe4

SHA1
1cbf1d9a0dda21278b7b174c51c0a01d55e23501

SHA256
2af37bcc42a8cea0dac2d1fc6d359d77650a34c9ad43527a3ea656c186c8bb7f

SHA512
8023cd3336d7441f43a54385d89cfe7e8d0c6fdf1371c3993793cb616f34b9fd761dfee6e9a7a1f6750f5f4b8d2c6d16e79068f837df57c0fb955838c90009e8

Download Submit
C:\Windows\SysWOW64\Gedohfmp.exe

Filesize
844KB

MD5
d8c40c1289e6d9f54614624efc1e9ab7

SHA1
fb58a28447f85a125516d1f88fda80cbe41f4197

SHA256
e6775f97fa34604fc485a76e8574b45d95175f8ca14d253b5169d2110c0fb2b4

SHA512
f332a8fc7fec9feabf993e284d6c79dea8c117648022fbc6b645282fecf414d73f7a7dc62950da05172709151f93739e3481ad5c460b56ad480da8c8424e94d8

Download Submit
C:\Windows\SysWOW64\Giddddad.exe

Filesize
844KB

MD5
43a774a9224bf0c2db898c828ab58a46

SHA1
19c53f9b7f477a6a3f52fd3d1524f474cf8e285c

SHA256
2242656bdfc7ca800cf85202cf57473471e6e4b132c01127daa1cf46e827e404

SHA512
c297465588b175cdeb37adc603ed46ba33a67a672f9fb8206438db6d09503c81aa6acaa68ccffa32d00a50e4f7204c38d9e2193b98bce1c947eff746fad011ad

Download Submit
C:\Windows\SysWOW64\Hommhi32.exe

Filesize
844KB

MD5
29a0c4c05df19637ada3605227f3127c

SHA1
7635089f625ac0eea0720946dae1388a395f70d4

SHA256
b32b2690b26203bd278763d0bcf93ee2bead4e107fafbf3eaf374ccf2de10f84

SHA512
4b589edc3d4b4fb92e6edee03e7d62424f3b151502149ac0933e5a54f4bba5e758ee064184ab6c092f2e0e3b3c5c35779d99e07c78b432d25f9498925e511223

Download Submit
C:\Windows\SysWOW64\Iapbodql.exe

Filesize
844KB

MD5
4cbf41ee71459cc588f2a7f9f46e89e6

SHA1
3a3708ecd1800a6564d9cf5b7442853161198a31

SHA256
cd1a6ca5ef529039ad6c84ed236dd27f0724bfe5ca46822793ed53b347e2915e

SHA512
09cdb6277dbf038a6783bb21d691761abf3a0bf3256e0737dd0cae4ea235733f81af71aaf9a716cbceac5ed8c6acee5a3212a815f10486146e1b78e98c4fa620

Download Submit
C:\Windows\SysWOW64\Icjengld.exe

Filesize
844KB

MD5
d1c7f56c2e523c6a7dd1711e4301f4b6

SHA1
14037565e15757c40d1cd364d88cf9a46a3ba978

SHA256
35c680987ffff59449c517c2f08a7fabe6dd70d0335c1a543160bfff266007db

SHA512
10d56caa4203be4d6fda9838c35d9e7e54f22ceac02429847e1b14cd3eb52a4c9604b813fa366338a6cfce02da843ccd23b74b0f790710f316358fd2b339ebe5

Download Submit
C:\Windows\SysWOW64\Jbkbkbfo.exe

Filesize
844KB

MD5
f3d57500d7005dc0d4a64864e42de5e3

SHA1
ade9361174feacae051a996b10ff8a6f23a3a52e

SHA256
265d7dd6894617dcc470bdbb22c74a4461e44d8b4dc1867a934c819009103dbd

SHA512
559bf30b5e12a63e709e11155e0682072744648c1dfa78720b4a0dcfd810dc3c3bb6f09a42a177e089333a0ea643a9a903d15ac47a60e9122a7ba3d7bbdc6e9f

Download Submit
C:\Windows\SysWOW64\Jcknee32.exe

Filesize
844KB

MD5
1ac7184210940c56be0f697e64b7dad5

SHA1
17e15f719b88e2d950012a84deeb99a13165891f

SHA256
934550410fab211e52216e7bc3fe0c478c808a2d1e314c8acb34d2079e5ee707

SHA512
d78f8d44c9d18bf87078797b7dad072d4405d414881fcd5c9451ac80ce843bc0a7454797e1194278e0a74e23665741a42a8aa830d1690a659d186652c5b7f6b9

Download Submit
C:\Windows\SysWOW64\Jokiig32.exe

Filesize
844KB

MD5
69e6019abdf0cc4ea582a0b0da65cea5

SHA1
16019ccfcec622a9b09bc5b234692671cdb768d7

SHA256
c0b09d89fb28e749a87c2895b847d227b0eaa613d2043d71dc3982854a84700d

SHA512
08728f4c9e06438d17eead75f10c75b9aa4039f6c26789eca20d935befde7b7441b6e550a0d82a4a5e709d1f23bc543b9791df0824899ca749c58f1984434178

Download Submit
C:\Windows\SysWOW64\Kfejmobh.exe

Filesize
844KB

MD5
de39f2675c73bf81749226e536ef332b

SHA1
e513a1ced2045145654ac23f61703187d76f73a0

SHA256
171ac3afc5032c68a346feac733184a55c507ca8f5ea308cc703f4e051b24e91

SHA512
810e7c82a6a01101924af267c6f0c58434926f5dac38202245f553ca85357f907451fe529707c7f602b8e94bb7786a4cc9e4285171a8fb82b8be0d6009286cf2

Download Submit
C:\Windows\SysWOW64\Koiejemn.exe

Filesize
844KB

MD5
e108e071bbbcd0637239d8f372474178

SHA1
e85c9b313a98bb1efe5ebb09b025a9eae8eb617c

SHA256
c0b79a2b432f6e3b59feaf9a20dfba4e435f963f05837bbbb4949d7fb5775371

SHA512
f2c1fcb1afc50e57d3c737b2d6b058043d0a65c6e36f91fae69f552492bcfd476c2b22402c1750429330c9ea9d65c1f0020cb21a85a560ed384889ae9ec55e03

Download Submit
C:\Windows\SysWOW64\Lbgjmnno.exe

Filesize
844KB

MD5
f8b74f72aceba16243cec973b975616d

SHA1
4ecb131da405b9e84ea6daadbec54fd7f6748d12

SHA256
1bc7ad8bc1ec2ca690e77edd2c7588d5d38c371e3cbe26db5f2a24c34ccf9730

SHA512
c6f6efb3df52846cb7bc62d56de9ae4c7bb48389b7db251c2cf9490f5e224d0b6599652fd15e56cdb283394e07f1877b61ba0cf6b8ca35b1b29e254f2e57a5b6

Download Submit
C:\Windows\SysWOW64\Lfnmcnjn.exe

Filesize
844KB

MD5
4a3e340d4412d44b003800fa99d3c643

SHA1
8282f6a43cfbcadd7e6daea457406bd61aee37a6

SHA256
dec4b2b039bce8b3b9e52e53fbabae5f757155b64c7890fdc859cbf7c830738c

SHA512
08269855caec9d7e37a1133a43ac1f78150b46b328a3be387b9dc9e75568e1dc9231424a60d46dc77bc15e0208a8c5a0d32491c6fe5b63d3de3a97ad493e8097

Download Submit
C:\Windows\SysWOW64\Lopkkdgf.exe

Filesize
844KB

MD5
acbe1f4ded6626f672c56cd72958eec2

SHA1
c5ef93d6636513982e3bab898b28202d3da61563

SHA256
1f052e66efc219ebcef67d40fdb647664c6360e65f0d6f4ec5d99be2fab1b8d7

SHA512
d625545a481e0f307dd6499bd3fb347e38a30165cbe8670e64721c4ea43245804ad4745407e090183cec4d516f91cb6716e293dec979beb9551ac849dc770932

Download Submit
C:\Windows\SysWOW64\Mbjgcnll.exe

Filesize
844KB

MD5
7eb8f2a57b35afee1d959218150b69b7

SHA1
8d4712c58d1b3f7a5e354799325ee3b67689ac9d

SHA256
2eb00dcfe7bba51855631d626e12709c381cda54c9d2025a65262f8b741a2761

SHA512
965d56e310ec1a99fa987c217d1d46c0b078196e4c80d3d474d337a6f753df1afef6923be9f30ef59d073d02b8edd853dc3ab4de7bc02f35ed52b2f71e3449e9

Download Submit
C:\Windows\SysWOW64\Mdaqhf32.exe

Filesize
844KB

MD5
87015bc34c6d3a84235a9b7fba005308

SHA1
a740a5aa3630b88ec68a07d1df5ec90b18ac5299

SHA256
c86f143ed9071a11dd1eae42e703502d534d5e4b87e16a1555f6bdc165532035

SHA512
1612792b4774d3a3c86c2fabe2fbaab4fbd9dd6ff3bd843625dc1d37baaf7f123966626d2aa46e9e217209c091e6f0d9f19584873d117376667c8291376504b1

Download Submit
C:\Windows\SysWOW64\Mjkiephp.exe

Filesize
844KB

MD5
85e2ca17b6295cadb9160abfaa454f78

SHA1
c174d5126aa92c85a35f159bce7e49cb7cb10214

SHA256
322fdb21770074b87280edf325c88ec744250394fdba0f288bb82b838bb6aaa7

SHA512
8b884d03e18dcb2e772d1e19292d3593201c15b2b6370723d7b3b5839e8a24d07963a2bd000939f160c5367ab5da4741305078b7dbcd3182976c247f48add759

Download Submit
C:\Windows\SysWOW64\Nieoal32.exe

Filesize
844KB

MD5
175428f21889cd95b4ab1f7383ca31df

SHA1
debabfb7e8f4a8908d5bd2b58e075a115d146dc3

SHA256
bb20895edddf1959b623e4ec624a556726808516b993c7a343af22c446872daa

SHA512
0d296035647f742f3c1a6351abf07bdb61b923683b594bfdbe4d255f2bbb3285c0f152ff18d640f4b66941caa388d1fc05a452661b1d2615389485268598e51d

Download Submit
C:\Windows\SysWOW64\Nmnnlk32.exe

Filesize
844KB

MD5
06853f1bcbc46328a272cb5a605a179c

SHA1
db8367f86df34c2254860b2094788715193e4bce

SHA256
7fd76c0f88afcf3eb47fbb034cd3bc473b53eacce46072bcae574453e814dc52

SHA512
9ff32ab77fcf3f4e1a1041873f66dc7c44e896a8deb20b62c3b3d76e6c6ea1f75b28249cfa79e2c07ff608f59461b16e0f1447aae7161961764a7428168c4b37

Download Submit
C:\Windows\SysWOW64\Npognfpo.exe

Filesize
844KB

MD5
a6c44125cd9df5a7924865ea7e918d64

SHA1
6cd4127f232c993d9236576392702f40daed0c78

SHA256
b3277251a6e596785a12f2f0a423a3f70ddabad33e69e672f8f54abf0aa724ca

SHA512
4a74d0a4ee0f00292d26141d0020adf56e5d12cb5d50876b09c246f0eae0a40783a343c115d0a7c61b6e7b4f4510a71e0c7685b9f346cd698bd5b622a9fbc265

Download Submit
C:\Windows\SysWOW64\Ogdofo32.exe

Filesize
844KB

MD5
b00f147e10d2d109fc5628419253d154

SHA1
b7019f6be6755946aa2db8231f1e0c1fcad4c767

SHA256
0f82e9289fefe4b77a5dc71fb26c321a263afc949f7915419d2a4711f5d71d03

SHA512
6372b83d17028507c0929baa065bb6d7dda3e47271f500e4928c532832291e1783b091c0b4589c41cac548844808d3d85c7ab3c9007bf12b2d13fe740f587ca6

Download Submit
C:\Windows\SysWOW64\Ohkijc32.exe

Filesize
844KB

MD5
5a7d85b08cc1426433bdd187a393199d

SHA1
cb0954f8f525ed9ea2443c232e84f6a1aa4357e4

SHA256
6932f6ab127a2a32da6cbabe49ca057bdc96df36b689838f82b6d9a71c89981f

SHA512
5f806eddae041a4265083c5e88240c764facefc92565e6f7dd69de376f01d47082b414b296a50f29dbf2964e18fd370cb3b89795e7d26f54c88eeae0baae702d

Download Submit
C:\Windows\SysWOW64\Okkalnjm.exe

Filesize
844KB

MD5
60b94555b419d649f009bfe2fe5e0f9e

SHA1
c5d0f8ae6aa40583dec456fb958009e99ede7c87

SHA256
2396e2a9df385813fd1c43bd4f0b25a76ff4105ff21146a90a97cff0d0264992

SHA512
3943c239c30c13913f37aad6b4efa5ae2c41b4fcfe00ae84732e01ddf41825cb5ae9af494e99a99e24efea7566170cdf8345aa14036786774aebf1f3d9615741

Download Submit
C:\Windows\SysWOW64\Oknnanhj.exe

Filesize
844KB

MD5
dcc1dab30628b89cd35b9ec6787f0ebc

SHA1
b7b3e6d0190fe025f5e6fd823fd033f53f4f21bf

SHA256
1ba62e639e619cd33186682a3b33bf57df3d484ec56a9a8a2ad2bb39ba9b45e7

SHA512
aa001b55b4528c77c42f690b4dc03b7f4b10a53500a64f809ec15d230ff1a56839d62d09b181cea60aea5698559ed2e2ac2fb849ae0348084adcab1ef7c1b085

Download Submit
C:\Windows\SysWOW64\Opopdd32.exe

Filesize
844KB

MD5
24410acf48a582cc35a62aff5091493a

SHA1
d3bb56238b26e446f2de532e06300fc40b75d8ae

SHA256
7c3c7a14303491224a1fb99a06928395eb4bb5752524210d4e090e16c7a7117b

SHA512
d25839ef20827c7a60f1c81afde38456fe4a65f176c84055d50181c9113224e0713d365388b8a858a50422dc0d1085108b6e79d91c65b348412da446096bc603

Download Submit
C:\Windows\SysWOW64\Pdmikb32.exe

Filesize
844KB

MD5
7f00737786f236adfacab4f98b3fefe9

SHA1
3a613d35109fdb450e6358641a81a3e91cccfe30

SHA256
1de300b0ea85ed60f7daac8bb31839ed0a3c203090fae172a5bb8530681a614d

SHA512
3212f1efeaf75a9d8973269ef22bf63ff0b194384454ed276e1a90e66fcc866f3de7c924fb2fb2425e95ac10ddec60375fd03aa75f4de698c4005bb142c506fb

Download Submit
C:\Windows\SysWOW64\Ppdjpcng.exe

Filesize
844KB

MD5
a98959e45d6f5e193eb5884d105b6bce

SHA1
863215ddc0a55e5e246419155120ebe472ea44c5

SHA256
322a9282c6957d8c516304efe43a4296a608de8daeffacb221bb4a681f7e0278

SHA512
edb822dd1e174d8d115be6f5c071227dd93c987bd2f957410fb4d93b202c194a54173e3513c2b4b0b3ad2ec683fcba57cd4565dd4c158b365fb258463a405249

Download Submit
C:\Windows\SysWOW64\Pphckb32.exe

Filesize
844KB

MD5
33f778f083cce284d6f3b16f6c40638a

SHA1
a1976bee0898fc9b40b685879e340b3f1cad23da

SHA256
15cca947cc25312dc27ac5981c4693da835b1dc9b6e04d73909497a1f118c920

SHA512
8f0a02a9e6ff2776cab3c4b547512b77351407753b6ead1a3ecd8ef2c62ddf47ff74bb6a01f77ee2a403916c47d76387848e25fe0947be95a4bec58aa6c1bbe1

Download Submit
C:\Windows\SysWOW64\Qgehml32.exe

Filesize
844KB

MD5
1b25decd0bbee6cf60b4d32f25792495

SHA1
e132011f3c59743683238129ec37d12145fc4895

SHA256
83e7a4724816aafbe8200fda989d85496676dde6fce162bc6df21ec102bd86aa

SHA512
d53b6c237aef2743a577a89bf4c0dfd6a597c59d6ac16739c1fd56ebc266f75a552140acc2f7469fed4a4e65f140e2c337287e941ac2e3e479f33375ee40af80

Download Submit
memory/8-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/32-546-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/324-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/492-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/764-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/764-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/828-260-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/860-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/872-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/940-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/944-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1068-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1140-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1148-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1212-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1352-446-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1380-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1452-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1484-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1488-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1544-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1556-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1620-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1636-500-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1648-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1668-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1680-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1820-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1872-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1928-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2004-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2024-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2072-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2264-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2312-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2312-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2332-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2372-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2376-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2568-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2608-599-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2608-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2640-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2760-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2840-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2868-437-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2948-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2952-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2984-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3044-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3140-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3252-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3376-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3420-404-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3464-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3500-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3500-585-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3572-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3648-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3736-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3756-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3904-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3904-578-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3980-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4060-450-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4068-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4100-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4100-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4144-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4160-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4316-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4372-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4404-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4408-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4468-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4500-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4504-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4616-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4632-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4740-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4748-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4776-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4796-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4828-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4860-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4860-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4868-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4952-592-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4952-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5128-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5172-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5220-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5260-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5304-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5352-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads