3892a82af488f11e1da5082d28b963e65a6908c83d4554db1a6c76cbaeb8f204

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 20:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3892a82af488f11e1da5082d28b963e65a6908c83d4554db1a6c76cbaeb8f204.exe
Size

860KB
MD5

ea0bb7c1cae626579d1abfee1185b3a4
SHA1

0f7c3da6e82bb42a131457d088941f3499ff8b92
SHA256

3892a82af488f11e1da5082d28b963e65a6908c83d4554db1a6c76cbaeb8f204
SHA512

a811371af1a6a5defc0f565a219caeff82e68b73fbf79b2ce3a3e992a166315abf470d07adeb001cb27bf41a41224d3e864428607f5cf74282356e8f871b90ca
SSDEEP

24576:p5hPuh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YS:QbazR0vD

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hghfnioq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibnjkbog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilkhog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdgdeppb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ielfgmnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihaidhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lahbei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abfdpfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbeip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkled32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkled32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhhodg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Logicn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apggckbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijiopd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihaidhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iajmmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hghfnioq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahfkimd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcnnllcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ielfgmnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbnlim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahfkimd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgcmbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibbcfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbbkocid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajaelc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibnjkbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qclmck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqikob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbncbpqd.exe

Executes dropped EXE 64 IoCs

pid	Process
1680	Pfhmjf32.exe
3492	Qamago32.exe
1108	Qclmck32.exe
2360	Apggckbf.exe
4524	Abfdpfaj.exe
3612	Ajaelc32.exe
1436	Bpqjjjjl.exe
3324	Bbaclegm.exe
4280	Bphqji32.exe
2036	Bbhildae.exe
3540	Cgfbbb32.exe
2520	Cigkdmel.exe
1580	Ckidcpjl.exe
1428	Dkkaiphj.exe
3292	Dahfkimd.exe
4160	Dnqcfjae.exe
5012	Ddmhhd32.exe
4196	Ecbeip32.exe
2404	Ecdbop32.exe
1388	Ejagaj32.exe
4416	Edfknb32.exe
224	Egegjn32.exe
2940	Fjhmbihg.exe
4848	Fqdbdbna.exe
4476	Fbdnne32.exe
4568	Fqikob32.exe
4692	Gdgdeppb.exe
3356	Gclafmej.exe
2212	Gcnnllcg.exe
1744	Gbbkocid.exe
1064	Hcedmkmp.exe
4548	Hgcmbj32.exe
220	Hannao32.exe
3124	Hghfnioq.exe
2880	Ibnjkbog.exe
3200	Ielfgmnj.exe
4308	Ijiopd32.exe
2108	Iencmm32.exe
1068	Ijkled32.exe
1204	Ibbcfa32.exe
4856	Ilkhog32.exe
4888	Ihaidhgf.exe
3276	Iajmmm32.exe
1772	Ihceigec.exe
2984	Jlanpfkj.exe
2484	Jhhodg32.exe
1848	Jbncbpqd.exe
4344	Jhkljfok.exe
4480	Jnedgq32.exe
2528	Jlidpe32.exe
4776	Jddiegbm.exe
1180	Jlkafdco.exe
4928	Keceoj32.exe
952	Kbgfhnhi.exe
1956	Kefbdjgm.exe
3368	Klpjad32.exe
4464	Klbgfc32.exe
552	Kkegbpca.exe
4668	Kejloi32.exe
2128	Klddlckd.exe
2492	Kbnlim32.exe
8	Kdpiqehp.exe
3956	Loemnnhe.exe
652	Logicn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hcedmkmp.exe	Gbbkocid.exe
File created	C:\Windows\SysWOW64\Iocmhlca.dll	Bpqjjjjl.exe
File created	C:\Windows\SysWOW64\Hdedgjno.dll	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Cnidqf32.dll	Egegjn32.exe
File created	C:\Windows\SysWOW64\Kejloi32.exe	Kkegbpca.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Cgfbbb32.exe	Bbhildae.exe
File opened for modification	C:\Windows\SysWOW64\Jddiegbm.exe	Jlidpe32.exe
File opened for modification	C:\Windows\SysWOW64\Llkjmb32.exe	Lbcedmnl.exe
File created	C:\Windows\SysWOW64\Hbhgkfkg.dll	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Fqikob32.exe	Fbdnne32.exe
File created	C:\Windows\SysWOW64\Klpjad32.exe	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Bphqji32.exe	Bbaclegm.exe
File opened for modification	C:\Windows\SysWOW64\Bphqji32.exe	Bbaclegm.exe
File opened for modification	C:\Windows\SysWOW64\Fbdnne32.exe	Fqdbdbna.exe
File opened for modification	C:\Windows\SysWOW64\Gclafmej.exe	Gdgdeppb.exe
File created	C:\Windows\SysWOW64\Hiocnbpm.dll	Iajmmm32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhmjf32.exe	3892a82af488f11e1da5082d28b963e65a6908c83d4554db1a6c76cbaeb8f204.exe
File opened for modification	C:\Windows\SysWOW64\Dahfkimd.exe	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Kkegbpca.exe	Klbgfc32.exe
File opened for modification	C:\Windows\SysWOW64\Lahbei32.exe	Llkjmb32.exe
File opened for modification	C:\Windows\SysWOW64\Ibbcfa32.exe	Ijkled32.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Bbhildae.exe	Bphqji32.exe
File opened for modification	C:\Windows\SysWOW64\Bbhildae.exe	Bphqji32.exe
File created	C:\Windows\SysWOW64\Faagecfk.dll	Cigkdmel.exe
File opened for modification	C:\Windows\SysWOW64\Dkkaiphj.exe	Ckidcpjl.exe
File created	C:\Windows\SysWOW64\Gbbkocid.exe	Gcnnllcg.exe
File opened for modification	C:\Windows\SysWOW64\Logicn32.exe	Loemnnhe.exe
File created	C:\Windows\SysWOW64\Fdaleh32.dll	Ecbeip32.exe
File created	C:\Windows\SysWOW64\Ejagaj32.exe	Ecdbop32.exe
File created	C:\Windows\SysWOW64\Ihceigec.exe	Iajmmm32.exe
File created	C:\Windows\SysWOW64\Klddlckd.exe	Kejloi32.exe
File created	C:\Windows\SysWOW64\Odehaccj.dll	Klddlckd.exe
File opened for modification	C:\Windows\SysWOW64\Hannao32.exe	Hgcmbj32.exe
File opened for modification	C:\Windows\SysWOW64\Loemnnhe.exe	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Bigpblgh.dll	Ckidcpjl.exe
File created	C:\Windows\SysWOW64\Jhhodg32.exe	Jlanpfkj.exe
File created	C:\Windows\SysWOW64\Hgnfpc32.dll	Kbgfhnhi.exe
File created	C:\Windows\SysWOW64\Lbcedmnl.exe	Logicn32.exe
File created	C:\Windows\SysWOW64\Lfeliqka.dll	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Eilbckfb.dll	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Ieaqqigc.dll	Lahbei32.exe
File created	C:\Windows\SysWOW64\Ddmhhd32.exe	Dnqcfjae.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmbihg.exe	Egegjn32.exe
File created	C:\Windows\SysWOW64\Hghfnioq.exe	Hannao32.exe
File opened for modification	C:\Windows\SysWOW64\Ielfgmnj.exe	Ibnjkbog.exe
File created	C:\Windows\SysWOW64\Keceoj32.exe	Jlkafdco.exe
File created	C:\Windows\SysWOW64\Ecdbop32.exe	Ecbeip32.exe
File created	C:\Windows\SysWOW64\Fqdbdbna.exe	Fjhmbihg.exe
File opened for modification	C:\Windows\SysWOW64\Gdgdeppb.exe	Fqikob32.exe
File created	C:\Windows\SysWOW64\Qekjhmdj.dll	Kkegbpca.exe
File created	C:\Windows\SysWOW64\Logicn32.exe	Loemnnhe.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Abfdpfaj.exe	Apggckbf.exe
File opened for modification	C:\Windows\SysWOW64\Abfdpfaj.exe	Apggckbf.exe
File created	C:\Windows\SysWOW64\Bdelednc.dll	Hannao32.exe
File created	C:\Windows\SysWOW64\Ijkled32.exe	Iencmm32.exe
File created	C:\Windows\SysWOW64\Ilkhog32.exe	Ibbcfa32.exe
File created	C:\Windows\SysWOW64\Pedfeccm.dll	Dahfkimd.exe
File opened for modification	C:\Windows\SysWOW64\Hghfnioq.exe	Hannao32.exe
File created	C:\Windows\SysWOW64\Qamago32.exe	Pfhmjf32.exe
File created	C:\Windows\SysWOW64\Qclmck32.exe	Qamago32.exe
File created	C:\Windows\SysWOW64\Fbdnne32.exe	Fqdbdbna.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3788	3076	WerFault.exe	162

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkaiphj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhhodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbdnne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcedmkmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijkled32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbcedmnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbbkocid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhkljfok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jddiegbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abfdpfaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhildae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqdbdbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqikob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3892a82af488f11e1da5082d28b963e65a6908c83d4554db1a6c76cbaeb8f204.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ielfgmnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahbei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhmjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbgfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkegbpca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loemnnhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajaelc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecbeip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijiopd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfbbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdgdeppb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilkhog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlidpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihceigec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdpiqehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qclmck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphqji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgcmbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iajmmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cigkdmel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iencmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbaclegm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckidcpjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejagaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibbcfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hannao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgfhnhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qamago32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahfkimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnqcfjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edfknb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbncbpqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlkafdco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpqjjjjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gclafmej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hghfnioq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihaidhgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibnjkbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefbdjgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kejloi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apggckbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecdbop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egegjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcnnllcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnlim32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gclafmej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klddlckd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgcmbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odehaccj.dll"	Klddlckd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fooqlnoa.dll"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll"	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcnnllcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdlidhm.dll"	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ielfgmnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkjoj32.dll"	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbojb32.dll"	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbobjbh.dll"	Hcedmkmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbncbpqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedfeccm.dll"	Dahfkimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehojk32.dll"	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjcam32.dll"	Lbcedmnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jddiegbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hghfnioq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klddlckd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnidqf32.dll"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihaidhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmoak32.dll"	Ijiopd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egegjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjaofnii.dll"	Bbaclegm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll"	Bphqji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abfdpfaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhnfh32.dll"	Edfknb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abfdpfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keceoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbncbpqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajbnn32.dll"	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dahfkimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egegjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbdnne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcedmkmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 1680	636	3892a82af488f11e1da5082d28b963e65a6908c83d4554db1a6c76cbaeb8f204.exe	90
PID 636 wrote to memory of 1680	636	3892a82af488f11e1da5082d28b963e65a6908c83d4554db1a6c76cbaeb8f204.exe	90
PID 636 wrote to memory of 1680	636	3892a82af488f11e1da5082d28b963e65a6908c83d4554db1a6c76cbaeb8f204.exe	90
PID 1680 wrote to memory of 3492	1680	Pfhmjf32.exe	91
PID 1680 wrote to memory of 3492	1680	Pfhmjf32.exe	91
PID 1680 wrote to memory of 3492	1680	Pfhmjf32.exe	91
PID 3492 wrote to memory of 1108	3492	Qamago32.exe	92
PID 3492 wrote to memory of 1108	3492	Qamago32.exe	92
PID 3492 wrote to memory of 1108	3492	Qamago32.exe	92
PID 1108 wrote to memory of 2360	1108	Qclmck32.exe	96
PID 1108 wrote to memory of 2360	1108	Qclmck32.exe	96
PID 1108 wrote to memory of 2360	1108	Qclmck32.exe	96
PID 2360 wrote to memory of 4524	2360	Apggckbf.exe	97
PID 2360 wrote to memory of 4524	2360	Apggckbf.exe	97
PID 2360 wrote to memory of 4524	2360	Apggckbf.exe	97
PID 4524 wrote to memory of 3612	4524	Abfdpfaj.exe	98
PID 4524 wrote to memory of 3612	4524	Abfdpfaj.exe	98
PID 4524 wrote to memory of 3612	4524	Abfdpfaj.exe	98
PID 3612 wrote to memory of 1436	3612	Ajaelc32.exe	99
PID 3612 wrote to memory of 1436	3612	Ajaelc32.exe	99
PID 3612 wrote to memory of 1436	3612	Ajaelc32.exe	99
PID 1436 wrote to memory of 3324	1436	Bpqjjjjl.exe	100
PID 1436 wrote to memory of 3324	1436	Bpqjjjjl.exe	100
PID 1436 wrote to memory of 3324	1436	Bpqjjjjl.exe	100
PID 3324 wrote to memory of 4280	3324	Bbaclegm.exe	101
PID 3324 wrote to memory of 4280	3324	Bbaclegm.exe	101
PID 3324 wrote to memory of 4280	3324	Bbaclegm.exe	101
PID 4280 wrote to memory of 2036	4280	Bphqji32.exe	102
PID 4280 wrote to memory of 2036	4280	Bphqji32.exe	102
PID 4280 wrote to memory of 2036	4280	Bphqji32.exe	102
PID 2036 wrote to memory of 3540	2036	Bbhildae.exe	103
PID 2036 wrote to memory of 3540	2036	Bbhildae.exe	103
PID 2036 wrote to memory of 3540	2036	Bbhildae.exe	103
PID 3540 wrote to memory of 2520	3540	Cgfbbb32.exe	104
PID 3540 wrote to memory of 2520	3540	Cgfbbb32.exe	104
PID 3540 wrote to memory of 2520	3540	Cgfbbb32.exe	104
PID 2520 wrote to memory of 1580	2520	Cigkdmel.exe	105
PID 2520 wrote to memory of 1580	2520	Cigkdmel.exe	105
PID 2520 wrote to memory of 1580	2520	Cigkdmel.exe	105
PID 1580 wrote to memory of 1428	1580	Ckidcpjl.exe	106
PID 1580 wrote to memory of 1428	1580	Ckidcpjl.exe	106
PID 1580 wrote to memory of 1428	1580	Ckidcpjl.exe	106
PID 1428 wrote to memory of 3292	1428	Dkkaiphj.exe	107
PID 1428 wrote to memory of 3292	1428	Dkkaiphj.exe	107
PID 1428 wrote to memory of 3292	1428	Dkkaiphj.exe	107
PID 3292 wrote to memory of 4160	3292	Dahfkimd.exe	108
PID 3292 wrote to memory of 4160	3292	Dahfkimd.exe	108
PID 3292 wrote to memory of 4160	3292	Dahfkimd.exe	108
PID 4160 wrote to memory of 5012	4160	Dnqcfjae.exe	109
PID 4160 wrote to memory of 5012	4160	Dnqcfjae.exe	109
PID 4160 wrote to memory of 5012	4160	Dnqcfjae.exe	109
PID 5012 wrote to memory of 4196	5012	Ddmhhd32.exe	110
PID 5012 wrote to memory of 4196	5012	Ddmhhd32.exe	110
PID 5012 wrote to memory of 4196	5012	Ddmhhd32.exe	110
PID 4196 wrote to memory of 2404	4196	Ecbeip32.exe	111
PID 4196 wrote to memory of 2404	4196	Ecbeip32.exe	111
PID 4196 wrote to memory of 2404	4196	Ecbeip32.exe	111
PID 2404 wrote to memory of 1388	2404	Ecdbop32.exe	112
PID 2404 wrote to memory of 1388	2404	Ecdbop32.exe	112
PID 2404 wrote to memory of 1388	2404	Ecdbop32.exe	112
PID 1388 wrote to memory of 4416	1388	Ejagaj32.exe	113
PID 1388 wrote to memory of 4416	1388	Ejagaj32.exe	113
PID 1388 wrote to memory of 4416	1388	Ejagaj32.exe	113
PID 4416 wrote to memory of 224	4416	Edfknb32.exe	114

C:\Users\Admin\AppData\Local\Temp\3892a82af488f11e1da5082d28b963e65a6908c83d4554db1a6c76cbaeb8f204.exe
"C:\Users\Admin\AppData\Local\Temp\3892a82af488f11e1da5082d28b963e65a6908c83d4554db1a6c76cbaeb8f204.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\SysWOW64\Pfhmjf32.exe
  C:\Windows\system32\Pfhmjf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\Qamago32.exe
    C:\Windows\system32\Qamago32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Windows\SysWOW64\Qclmck32.exe
      C:\Windows\system32\Qclmck32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
      - C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Ajaelc32.exe
        
        C:\Windows\system32\Ajaelc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Dahfkimd.exe
        
        C:\Windows\system32\Dahfkimd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Gcnnllcg.exe
        
        C:\Windows\system32\Gcnnllcg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Gbbkocid.exe
        
        C:\Windows\system32\Gbbkocid.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Hcedmkmp.exe
        
        C:\Windows\system32\Hcedmkmp.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Hannao32.exe
        
        C:\Windows\system32\Hannao32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\Hghfnioq.exe
        
        C:\Windows\system32\Hghfnioq.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Ibnjkbog.exe
        
        C:\Windows\system32\Ibnjkbog.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\Ielfgmnj.exe
        
        C:\Windows\system32\Ielfgmnj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Ijiopd32.exe
        
        C:\Windows\system32\Ijiopd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Iencmm32.exe
        
        C:\Windows\system32\Iencmm32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Ijkled32.exe
        
        C:\Windows\system32\Ijkled32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\Ibbcfa32.exe
        
        C:\Windows\system32\Ibbcfa32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\Ihceigec.exe
        
        C:\Windows\system32\Ihceigec.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Jddiegbm.exe
        
        C:\Windows\system32\Jddiegbm.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        67⤵
        Drops file in System32 directory
        
        PID:1080
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 400
        71⤵
        Program crash
        
        PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4200,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3076 -ip 3076
1⤵
PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abfdpfaj.exe

Filesize
860KB

MD5
a711a72486dcc1b0b8423dc99dff4420

SHA1
0b95825084cc28d2c748303e201c59f96de03cd9

SHA256
53a6ade731cf9dbaac670c9458aa437f65c791a8a5b40a008376b088dc335d06

SHA512
d7ed9e893c7e6d543a2a6813198936ddfde606b9c93850d05c3b6c6eefe758366278f98aa1b9ef2071848c03b2bf8c068b9b2d21283cf26dea5a52d35d791241

Download Submit
C:\Windows\SysWOW64\Ajaelc32.exe

Filesize
860KB

MD5
81e007875b7a401dc8779d327c11fa47

SHA1
2009ce6b1483cbd9ab5666239802e42c54abb8c2

SHA256
2f855e598e80924ad872277c3dc0cceeecdd19285811bd52bfe5db7f862bc0c8

SHA512
c3cd833fe6e5e46f303fb6593bb5180e5707fd4212497a662eafe9892d445b7ac4e4cd3b997de526abcfc650778c4c39e2d29486d85d83e20b8533c33c1ee885

Download Submit
C:\Windows\SysWOW64\Apggckbf.exe

Filesize
860KB

MD5
9113ccd6c66af3b4f61f1d58af11b29e

SHA1
5d62f24ad1219f33d3e7dae8400ee42ebc49e9aa

SHA256
2256ecdfa5aaa512754f718cb4336afa3faee124cfed97d2312145905fab6c38

SHA512
5b897ce8270d4e32336308ac772ca9202046e7e6fc84306acad128043710472bbb31dad42ccf657d3a13b122ad202bd348b31e919f9031583adb01007d6707e2

Download Submit
C:\Windows\SysWOW64\Bbaclegm.exe

Filesize
860KB

MD5
6a2f4123ae053d789840d881f49d35f9

SHA1
5382de8921b02276884034ff261a99281ba70e23

SHA256
39b53bb0001d3e9a17fc513421f0cc2d7c267db287a00af16e53340dbe84c492

SHA512
8e399cd6bee3f9fc8650860a9eb2376efa1688f1b87bcc8dfbe68bcdccef97f982811d1bbc63c25a3495da51538500ff3a8998b26681721a12d145ae3c67e5fd

Download Submit
C:\Windows\SysWOW64\Bbhildae.exe

Filesize
860KB

MD5
409c66644f133d12418b84707d85d9b1

SHA1
adb6bafc441c6b6f254e62d9a43ec5c85ff8d7e8

SHA256
cb35c2f0dfa6e33ca345d75cb1d3f2a9d2f3a82ebc67c9bf969c358e1bdc6ecc

SHA512
16a2b75c74088f1e9bc9788e1335a38ff6cf4f413f00e793baf43139b0efc97f035fd6c4638aab37deaf127d4f9c793ca82c2aea58c53a566fe688acd58841a2

Download Submit
C:\Windows\SysWOW64\Bphqji32.exe

Filesize
860KB

MD5
db7bd10f31ebd7c06930f69e6ad5feb7

SHA1
9307384f68296a3ca2f0a3e17c55012d437d3366

SHA256
84d524e1b1dda784456ecd6e1fdc613906b91b87df0a5d6e059efa5041676640

SHA512
e8019e505aca794a7a226196d03aaa702ba8359042b38f99ebd5cb66f9f4c66379640abd02ded24b4d48a085d53c9851062b3db5cd2b5cd23d1a2048fedee21a

Download Submit
C:\Windows\SysWOW64\Bpqjjjjl.exe

Filesize
860KB

MD5
180db6cedc539d454e7a5715a49779e1

SHA1
e12c43b21a56261acc62d80324bdba9366cdc54d

SHA256
bc37d7568f68b72ccf01a3707a3bbdc3d62a17d503d231fc1b73467cd34b79a4

SHA512
0b59d5da80c37ac3bfefc46686a051b45e22c97fd25a2842d41aa40be7d85a9b977a81e17b774a8caea125a4cd4994290abc5cbcc8b8cb941a86aa82116a95f7

Download Submit
C:\Windows\SysWOW64\Cgfbbb32.exe

Filesize
860KB

MD5
1294b654163db90337077dd49b8f404a

SHA1
b83ab2919bce19a6ba6248e2545adea93a2d3c62

SHA256
a07ffc8ffe61c24effeaa41c8ff29cdc6abee846bf7cfe5a83911263fc6e0726

SHA512
e4b5ec9cf45d087ce09fede2520125ab132e95dfb63aabe7b81b4e47249e769f83923cd640128ccd6d411b97e5419a7d61f5a0d842b021bec23619013580b974

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
860KB

MD5
9a4aff7ed86647a2e5ef269806a4861d

SHA1
a8eb5a60b018489048f285714b7a4a6f12da0df4

SHA256
8c709e52d8ccea324105bd0923ff67d5e6e16f9971ef5820b0d44ff407c41f6a

SHA512
39e03198c3bdded90228399199ace01545891db23934f37f58460d09bf574233ce2500816ef067bf2e65e1d795bd5778a8a73623470389c50aabaafe2d08416a

Download Submit
C:\Windows\SysWOW64\Ckidcpjl.exe

Filesize
860KB

MD5
2503625717f6ea67113ad780524f564d

SHA1
4445458fb0b46a745c29c5aff02666c9ece47d45

SHA256
2d1256b0d7a0dbc371e7106a646736b86ac0344ccef31e4eef687dcda907c2a7

SHA512
3b33fa8320016800742013eac0cc695db8ef039a1385e5ad6f0f64471bf30ddb5df2bb586f31276c7dc10985483071a0f086f88fdbab0d0df2071a3724573e4e

Download Submit
C:\Windows\SysWOW64\Dahfkimd.exe

Filesize
860KB

MD5
a803bc32dc499e6ed365def5ad252aa3

SHA1
13206b8e6ab11ba59a1da6f4f07f62531a76839e

SHA256
69cdefc48117b7c50ddb98b339f7ce3f799e8aa8ca8c3f3e3c3b94f64734be5c

SHA512
08011aa474d66a3c7607ac76724eab616082d8ec620768534d307f2a7b30324e7a6c5c3da153c1df67eb985d8d47351e1448c0d39b89a221e05d805b69f6095c

Download Submit
C:\Windows\SysWOW64\Ddmhhd32.exe

Filesize
860KB

MD5
8031e1650d1b1abfa6c9e4051ead6124

SHA1
84f76471d5277bf6cebffa1ab405d9dcb27f9f3d

SHA256
b0d183d9974aba0c451d0ce27b832cd363f9e695a947977382b9fe7a44fa53a2

SHA512
99d186ea07ba7b9a6c7489a1f4559f8c8942f2eafcdfed2651fad9a3cdba4aa2c1cde5b5aa5ffda685ffca4072d9488b584eb44f23052b1498a0cac653d13b12

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
860KB

MD5
36d9d1cddb187ca379a69db3200e43c8

SHA1
b38318720665ecc2e30b329d1c7cd2818479069f

SHA256
5305abf50f78da3cb081d4f0c611aef6e4a14aa1d5e789572ae80e41eec15656

SHA512
010948085aec50f437cd2f18de6cd2c6e59025dc31e6ca081c5acfcd17c9e70c836c4c55a09638c2816b130a9e6e28e6890229892b51519268d9046ff9bf7e04

Download Submit
C:\Windows\SysWOW64\Dnqcfjae.exe

Filesize
860KB

MD5
c7a7d9677d8407a5284d947cea16604b

SHA1
d11ec6beb5cbc88ea430d585a9b664d65dd506ed

SHA256
c15161ef6a1164e447b6ac5c8d84757e2f3d61acb3ba00a017c701e8df57f1d3

SHA512
8109763819d0ddfb203c25e5cbdf3ef14b3724e8a4e9272baa771d025c7f6bf5d092f4c20e57cc085105123c91f24973e74799e13f45450f674c9e40e3bae6be

Download Submit
C:\Windows\SysWOW64\Ecbeip32.exe

Filesize
860KB

MD5
bfe6f702974fdd9b362a5f736aa7e9b4

SHA1
fadb99e3d53a4a1b23ae0ab02c1fc3f37e1af196

SHA256
d494e8299f3325b135145f5ec7a5c9f633ce4cd9187e7a5220659071817f237d

SHA512
df245a303f4fd4916cb4e7dea2228dc8db48a5e5517d51c041d3b0c3b0e55a5a71c81afe5a49ef9efdc304d13f0957ff68c012d5f001541a64f5f5461510469c

Download Submit
C:\Windows\SysWOW64\Ecdbop32.exe

Filesize
860KB

MD5
883c34fb17b09743ddabf48b53dd543b

SHA1
95728ca7bf08573c378e1d098cb77728fb2da2a5

SHA256
705cb58a4b624c871f304fdb4f4a157e057052359efe92a17014c28a0901d872

SHA512
c690316a8ec9468ef75fd42e3df4bc0c10a06941e6fa762388883f4d67fbcd2c23c8f992e126074bfeadec311428c1c522481da436523a82939f213f136e46d3

Download Submit
C:\Windows\SysWOW64\Edfknb32.exe

Filesize
860KB

MD5
c4bce070a0150c0c502141b4461f8b4e

SHA1
29f8d03c6112ce585688ee8108324b21af2af154

SHA256
6f772ba6eb5966286d521620e592fee31ad8b19629682e2118513ddc690ffb2d

SHA512
65bd94715af02dd4c39b9ae5edd383ea406942976daec09564f2a5691549857d7c3fe6d1bc5ee8ec478f4329fed7ab871585b647dc3c51afdc5d912a37fbc9aa

Download Submit
C:\Windows\SysWOW64\Egegjn32.exe

Filesize
860KB

MD5
df360917d0a7ff754647d66787c75eb2

SHA1
bfa24551984b6ee42b28421ffbfa3045eb1e9d42

SHA256
c3fa2a3363576c960bc13fc32a2e3427b4c96c9e0b6b795b3fa26cd54172f7d2

SHA512
0d13afaded54a9d3de5c6b2ae49c71a55171f5766c1bed8b23aeaa34651f62154d3c1a1d4b375f647fd3e3d70c29ba9c7c1bfad067bf6c56033945d164e31f4a

Download Submit
C:\Windows\SysWOW64\Ejagaj32.exe

Filesize
860KB

MD5
49fa2e810820371f83f684124b14b06d

SHA1
ee54b280ddd24436c64a7214c492ce96efe5b9f8

SHA256
a76c074e48c0c68205fb44269e84ee35b6eefb0f1a05a6d84b729dd1e33e72a1

SHA512
411eb92561b1199c5837d857945e164b745ed5f9e09c0ecfd33f7cbcef7f3db9e1f6b9ab5352fe7fc7768e9b843e52dba3969fae7030d682fade679140a36b46

Download Submit
C:\Windows\SysWOW64\Fbdnne32.exe

Filesize
860KB

MD5
ffd5954e399fe96fac0af435c31c0fbd

SHA1
7fc896247591665aee811998fbe40692f0baacb9

SHA256
39f2ae9f420e9cb5002c64ec259c313ec6636d53e3abef6f01e4bf8abc964971

SHA512
a300a42ec4a013564d1aab213fa55718b49693c77cc39ab444f56fad0bef52d520286a51f2ed06035ba59c23d2f4792c7e94b81c4c12693eeafb202b733509e9

Download Submit
C:\Windows\SysWOW64\Fjhmbihg.exe

Filesize
860KB

MD5
a0676a7d4f0098be7493554d272f0ed9

SHA1
90f48061dad92ba1fb35e48d954f99d2c012dc6f

SHA256
76116d904412c8b03c66652a20a45f24b4c1a7b5bda19052e0b5cef2c0617a84

SHA512
a67e6751e7f35cab370ac059aa0af5c44c064129ed5c77deb8d08e24539ed31620a2024af0d354bfb843a415d6f6ec8070c14cce8cb67e6a3bf65191c9373fc5

Download Submit
C:\Windows\SysWOW64\Fqdbdbna.exe

Filesize
860KB

MD5
4456034d4218d2a1f0a0f7c792edf475

SHA1
669df5b90289881c9b11064b9d0f3e6296b0bed6

SHA256
8c91a344e3fb28103bdbdaba022e3a4fbbcae8f0c872c0be74048bc9f5d6f1b2

SHA512
e477508cbcfcc2525911c7711071f512be05763ae83d953be3cfc7716ee0d3ca7602c7c2359768b181c57cce855d625c7feedc2130906ccf13173b8ff8d5eef3

Download Submit
C:\Windows\SysWOW64\Fqikob32.exe

Filesize
860KB

MD5
4a5040b4835d536d0c992f0c00a3564d

SHA1
5c7970aaa8fca13087b5c3da5b058007305a7edd

SHA256
310a7d57ad076695f39c83c777fd5d9d6f6f58ef337ee29a6158894b957a760d

SHA512
f0de9aa7d643716e361ce58d6275d78394c4dcadd44ac9664c729fec3fc05ac68c36460dea274c4dcccc46347a04bd46c74a13005e99a616f3a274145cf332fd

Download Submit
C:\Windows\SysWOW64\Gbbkocid.exe

Filesize
860KB

MD5
0c69781baa8318f4c5a81a4ceec3cff2

SHA1
1a02ef4e9a14715437b33d2d9b5bd0198abf6e05

SHA256
52a4501f52db5b0222eafeb7a0696034e25d7a0222dd2d5a8865230c747dc548

SHA512
ac22176a03c6e3d05766cff3152d090ce68c62e72c1e832a26587ee7f6ab9094b2db786eed221a671fa16281a01ef7def05d3ad79050ea986adcc43b6f1cf943

Download Submit
C:\Windows\SysWOW64\Gclafmej.exe

Filesize
860KB

MD5
bcd7f0a51c719b6aa0cf2136105c8f4a

SHA1
dda5e7e49e54a90ab90411dad12360eed7c999a2

SHA256
2ba7e785e65be956b7d69f2bd05f59982036f7918ddd4c7e1b4150b1206ce148

SHA512
bbb852df83cfd528930475f8fe52949f32c334d055c14eda972fc2d11fa6789356376f812cae76c5fb2f5258d49c28e15b939a34fd9da24193b964eede7cbb8f

Download Submit
C:\Windows\SysWOW64\Gcnnllcg.exe

Filesize
860KB

MD5
6a696ef49e4cf7dfc586f020e35c0ca0

SHA1
1f5c99b98e96fc4e6107224600e0a6c015edcb08

SHA256
dee187b6659de5b1f7f8c7042ea490df0ac743cc6684cb2779e64cff7caf3288

SHA512
ac005ee75704416bbbbdfac315397d45abf5ff30e78263575c87d4335241d64ab23cf6549e7a6b53ebe00d25b21e49023b118902a7a11bb1d34a21034b1c0754

Download Submit
C:\Windows\SysWOW64\Gdgdeppb.exe

Filesize
860KB

MD5
ddd5310f0b7161ce3ee52d3e373b248a

SHA1
c6be2af05ade528c440522b322443c25e4aac0c4

SHA256
27ac25054b60b652b878a71ce7212dba1613bf44f4befba4500ddd2c5830305c

SHA512
5ae68426a25ab14077e8c8850c30698be79a7ff6abb9bff7210f0f00f7d7368c9b1a82c2ee8c0e78557526b9ddf171e34074c3c7de7879abdf5194a32b9fc35d

Download Submit
C:\Windows\SysWOW64\Hcedmkmp.exe

Filesize
860KB

MD5
274e462b98e3f2517c215512d3fddb35

SHA1
92adefb512608d39b2d6bd529452e30373495f97

SHA256
5f388fcbb6cc302d1838d29b816feb789a4ea604ac63273a5e21e3917484bf42

SHA512
f4170f4634dd21301d68f7562f0c6548ce34eca2a49d3089a3e4d64fa99b38e331c5ecb136ad64ff74bfce30bb404f3eea6f600dbcf900900ecd948be08c0e15

Download Submit
C:\Windows\SysWOW64\Hgcmbj32.exe

Filesize
860KB

MD5
efdeebbf4b66a021da90a4ddd9b9365c

SHA1
af1ca76bd61553136224dbc8cc1cd7dde943e616

SHA256
65f2463b30a10b35968aa02f51d6ea1ef7ab10d13e0366af93f726410b75e353

SHA512
d39266dc940175258929b6b1d780ab0a30c7a3ccbd41b9dc225ee84b22d36a7b57fa083c4895bbed17fc814152cb25b9f1361489b22d9e9706ed0af11acadb33

Download Submit
C:\Windows\SysWOW64\Ihceigec.exe

Filesize
860KB

MD5
df984d9cafcd54a5b6dc89fcefba5aed

SHA1
7e9ca5db2d856c6d40552dafd4e808bbd0443245

SHA256
cdb403c5c7e0ad6d9a972332d4131cc0c578aeeb0c2568cf578328dc0a063b43

SHA512
e897c3299180b493aed769573bd38ee7b0b24c68bfb4232e3be7a2580089f28f0bbe61308c72f7e03d5f19025b78276dbb84f3321d52b4209852fb391c45fa6c

Download Submit
C:\Windows\SysWOW64\Ilkhog32.exe

Filesize
860KB

MD5
27964e76382d30dc2941f6a0950d6a77

SHA1
f4e138823f0be0699087d5fb6df2e2537afe4d83

SHA256
11f14b0e2d4dd3d8140921944a54c3b9c0acb3e9a79242586e4c0283ce3ee6a8

SHA512
3311174a85bca236b73bafe82a09f30cf9b9137fec71353e0a8adca682ea4fb70e42df77ac2b328d651888ef71be5408b04e9edcb38f9706ee69f002bde6d906

Download Submit
C:\Windows\SysWOW64\Jlanpfkj.exe

Filesize
860KB

MD5
c351944a53b62f0d78df262ec982c66e

SHA1
4e03246a3fc14ef480e0a45cc299f6ac43090371

SHA256
1b4c76ed725c619ea468bbc8bd28f26bc72cccaea6f78c232bebad6e7dd5e018

SHA512
aecd44afdb43ddbbb683e870f7e03fab347634f7740c365a4ac225be2e24e0bf31276837d86c486be927f9de403edb0f10dcd5edd2532ce0bf53a0e55ed19623

Download Submit
C:\Windows\SysWOW64\Keceoj32.exe

Filesize
860KB

MD5
bd013b18ceaa596106fe31e0702f0a20

SHA1
18a3252d934f8ccf35986a77563bda1a4cdbb410

SHA256
681e593cb0469e5da982aa2f934d6aaabaf9466d9210ff081fdbafcc95784769

SHA512
45657969b93c043d3dc23d4ce4eb8fcd055110ae984b4bd163ed89c4e7af4be6dece2bee13664adb6f80be748b45025549d01d6df4bbad843c8de406628c1d38

Download Submit
C:\Windows\SysWOW64\Klpjad32.exe

Filesize
860KB

MD5
cc9ce50f4f6cc09fc2c679dfceabe91b

SHA1
b425d28a52504a3fb5bf62571a2e5aca5d4335e0

SHA256
23fe212d82e28ed0cd6034d2b5bde06d878efb40675cf05608a427f9feb04387

SHA512
07e5d0323d864e2a97ba6fe6694a619a746767aa691198f735f56c1b308743e9317856b218f67e0a135157924a5f7d2588f6f03ed80365d4670d7f9412cffea7

Download Submit
C:\Windows\SysWOW64\Lkqgno32.exe

Filesize
860KB

MD5
c2994903e8d3fa4f9f3b075ae366ca49

SHA1
d6923fefe1ce43429fd4d2b9778745ff12344c4c

SHA256
fed0d1f0777d30bdb8c3ba004364007faac3d6a3cb288857f37fc62f8fe9ec60

SHA512
223027b1665dc82d3f5d496bc79830939557dc7710511c0b1cf635dc6d0e5ba9747e1eaf9971b6b8e2b89de40ab19696646a81a9af93f2d5719ddd8e3ff5452f

Download Submit
C:\Windows\SysWOW64\Llkjmb32.exe

Filesize
860KB

MD5
2006e30484c97bec2692a7ccc5936808

SHA1
e153dc44a7cfd64a935b8357d143c5d35e101eaa

SHA256
ec3ffed25d3d8b15df32943af926c91a9dbe18003e201623894bac2ffdf4e3f5

SHA512
fa721dc5f407fbba80d4cefbf6fa48801646d9ad4f96bcae57cca40daecef26c6e346ab8b42739065f0dc369391e4b7f313d760c2b811412e6998e85c6b1de7d

Download Submit
C:\Windows\SysWOW64\Loemnnhe.exe

Filesize
860KB

MD5
cde832fb088525954431d5f642fe08f1

SHA1
ed600b7e7b08ba708631a3ec5375f6d4c8cdad12

SHA256
20bd83fe48e065cc4e4b0d80a6cff085f0ee4b6afd8dcf9a351a908c4646e870

SHA512
1f82c2aa05bbfc1172f65e39b59ea2fd1c8d391bd42460568919ff755e38d9be4ac737d4701bf2ebc4a723e1e7a8eb1419e27f2ee07be852e516f370cc8608ae

Download Submit
C:\Windows\SysWOW64\Pfhmjf32.exe

Filesize
860KB

MD5
b805fa4a1b77eb031296439eb358c25c

SHA1
6e8def740de4125c18f5ad957d9a08a1a7fa90f7

SHA256
f4cce1433bf9ae4297d6cf2b4b8ff522efb4a4c7d3146a823073209b82c48514

SHA512
cd6a37dae321abf2a8ba6ec246e651f531fb2db77323354c061fe1a35e734af8ee789630108e7195cb9187e0940a288c12e8846e06697724d9f9f32ff1f8b70c

Download Submit
C:\Windows\SysWOW64\Qamago32.exe

Filesize
860KB

MD5
5634f1dea0027034d6418e89a5321a87

SHA1
f0a18b8b8b182bdb6d4ce83eabd4bc928c0633f8

SHA256
7c4e5ae46925e54b608b826ae50dae6bd6904a66b67e9c90bac4a1a8f1afc827

SHA512
980c2c158a8f4b4084ba020b95212d97290a570946b6cb429b235b2323f9a025e65d7a6a564ee610362026fd7a671d4055d952847e60f47d33d2c33a23e9377c

Download Submit
C:\Windows\SysWOW64\Qclmck32.exe

Filesize
860KB

MD5
0102054643fdf6e978e458a9b2987acd

SHA1
961200c2f508bdd3470aa196a49e40c682a2d905

SHA256
283c8d795a7acc8c55e72ed1a47de4e671bc93c041318cc5805b0dafef01b63e

SHA512
b1d2d5eca945ce11eb39e1334b02b11be4e7302e9fd2afcfc9c1c32be66011b095b2947be06f74e8cbea2949dee22314c98ea79c6175a321f4e70343e34942a8

Download Submit
memory/8-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/224-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/636-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads