a6560269dfd622a9167b2c7fd1079eae2657aa57719c120ecfc15937420add51

Analysis

max time kernel
117s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 04:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b01ff2d641faa49b7eac06e6c3846090N.exe
Size

64KB
MD5

b01ff2d641faa49b7eac06e6c3846090
SHA1

6052d48bf916e72bbe0dd9e3312eb1e176392c57
SHA256

a6560269dfd622a9167b2c7fd1079eae2657aa57719c120ecfc15937420add51
SHA512

4a57fc21eca0d336af273802d69d4e07ad29ff9991b67c4520a80e68419bf89d3f45cfa8c0801e8750e13f43fc3a23936246a73bf1a80fe6fced18ed17d5f419
SSDEEP

1536:h/h34dZpHt8wJ6+olwTswJgPbS3upKbZe2LasBMu/H1:hZspNbQwiPbS3m8daaN

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmanljfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhbkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nomlek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mllccpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b01ff2d641faa49b7eac06e6c3846090N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcoepkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mebkge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbddobla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oloipmfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlanpfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojfin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Podkmgop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohqpjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moalil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nheqnpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohqpjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljbmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbnbemf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Memalfcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdqcenmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdmlkfjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Podkmgop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncjdki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pomncfge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iccpniqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibgmaqfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcppq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khkdad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Madbagif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnbgaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mklfjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Infhebbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbgfhnhi.exe

Executes dropped EXE 64 IoCs

pid	Process
2628	Infhebbh.exe
2220	Iccpniqp.exe
732	Iholohii.exe
4972	Inidkb32.exe
2992	Icfmci32.exe
2740	Ijpepcfj.exe
3336	Ibgmaqfl.exe
4776	Idhiii32.exe
4584	Iloajfml.exe
3724	Jnnnfalp.exe
4560	Jaljbmkd.exe
1824	Jlanpfkj.exe
2576	Jblflp32.exe
3180	Jdmcdhhe.exe
4740	Jnbgaa32.exe
1128	Jelonkph.exe
452	Jjihfbno.exe
2080	Jbppgona.exe
2456	Jdalog32.exe
5040	Jogqlpde.exe
4048	Jddiegbm.exe
3372	Jjnaaa32.exe
2040	Keceoj32.exe
2904	Kkpnga32.exe
1140	Kbgfhnhi.exe
3696	Kdhbpf32.exe
2656	Klpjad32.exe
3576	Kalcik32.exe
4940	Kdkoef32.exe
2924	Kkegbpca.exe
4440	Kdmlkfjb.exe
3612	Klddlckd.exe
3376	Kbnlim32.exe
3232	Kemhei32.exe
1384	Khkdad32.exe
4344	Lkiamp32.exe
3492	Lhmafcnf.exe
3816	Llimgb32.exe
1532	Lbcedmnl.exe
1020	Leabphmp.exe
1516	Lhpnlclc.exe
2492	Lojfin32.exe
4804	Ledoegkm.exe
2216	Lhbkac32.exe
428	Lkqgno32.exe
4408	Lolcnman.exe
4420	Lajokiaa.exe
3172	Lhdggb32.exe
2060	Llpchaqg.exe
3776	Lcjldk32.exe
1836	Ldkhlcnb.exe
5008	Mlbpma32.exe
3604	Moalil32.exe
4088	Maoifh32.exe
3968	Mhiabbdi.exe
1756	Mlemcq32.exe
4328	Mcoepkdo.exe
392	Memalfcb.exe
4700	Mkjjdmaj.exe
4144	Moefdljc.exe
5152	Madbagif.exe
5200	Mepnaf32.exe
5260	Mklfjm32.exe
5312	Mohbjkgp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndlacapp.exe	Ncjdki32.exe
File created	C:\Windows\SysWOW64\Noaeqjpe.exe	Nhgmcp32.exe
File created	C:\Windows\SysWOW64\Codncb32.dll	Nlgbon32.exe
File opened for modification	C:\Windows\SysWOW64\Pomncfge.exe	Pmoagk32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcdhhe.exe	Jblflp32.exe
File opened for modification	C:\Windows\SysWOW64\Jjihfbno.exe	Jelonkph.exe
File created	C:\Windows\SysWOW64\Leabphmp.exe	Lbcedmnl.exe
File opened for modification	C:\Windows\SysWOW64\Mddkbbfg.exe	Mebkge32.exe
File created	C:\Windows\SysWOW64\Pdngpo32.exe	Oflfdbip.exe
File opened for modification	C:\Windows\SysWOW64\Pmoagk32.exe	Piceflpi.exe
File opened for modification	C:\Windows\SysWOW64\Qmanljfo.exe	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Qkdohg32.exe	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Bfdkqcmb.dll	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Okolfj32.exe	Ohqpjo32.exe
File opened for modification	C:\Windows\SysWOW64\Pokanf32.exe	Pmmeak32.exe
File opened for modification	C:\Windows\SysWOW64\Kkegbpca.exe	Kdkoef32.exe
File opened for modification	C:\Windows\SysWOW64\Mebkge32.exe	Mohbjkgp.exe
File opened for modification	C:\Windows\SysWOW64\Pmeoqlpl.exe	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Jjihfbno.exe	Jelonkph.exe
File opened for modification	C:\Windows\SysWOW64\Mcoepkdo.exe	Mlemcq32.exe
File created	C:\Windows\SysWOW64\Jjonchmn.dll	Nkcmjlio.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Aimhmkgn.exe
File created	C:\Windows\SysWOW64\Oofial32.dll	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Nconfh32.exe	Nocbfjmc.exe
File opened for modification	C:\Windows\SysWOW64\Nbbnbemf.exe	Nconfh32.exe
File created	C:\Windows\SysWOW64\Mllccpfj.exe	Mddkbbfg.exe
File created	C:\Windows\SysWOW64\Odedipge.exe	Obfhmd32.exe
File created	C:\Windows\SysWOW64\Bmapeg32.dll	Jogqlpde.exe
File opened for modification	C:\Windows\SysWOW64\Apddce32.exe	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Infhebbh.exe	b01ff2d641faa49b7eac06e6c3846090N.exe
File created	C:\Windows\SysWOW64\Icfmci32.exe	Inidkb32.exe
File created	C:\Windows\SysWOW64\Bibokqno.dll	Jnbgaa32.exe
File created	C:\Windows\SysWOW64\Dfhegp32.dll	Obfhmd32.exe
File created	C:\Windows\SysWOW64\Pmeoqlpl.exe	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Icajjnkn.dll	Ibgmaqfl.exe
File created	C:\Windows\SysWOW64\Ofijnbkb.exe	Ocknbglo.exe
File opened for modification	C:\Windows\SysWOW64\Ocmjhfjl.exe	Okfbgiij.exe
File created	C:\Windows\SysWOW64\Nakhaf32.exe	Nomlek32.exe
File opened for modification	C:\Windows\SysWOW64\Nakhaf32.exe	Nomlek32.exe
File opened for modification	C:\Windows\SysWOW64\Icfmci32.exe	Inidkb32.exe
File created	C:\Windows\SysWOW64\Hnggccfl.dll	Llimgb32.exe
File opened for modification	C:\Windows\SysWOW64\Lolcnman.exe	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Ckmpakdh.dll	Ncjdki32.exe
File opened for modification	C:\Windows\SysWOW64\Obidcdfo.exe	Okolfj32.exe
File opened for modification	C:\Windows\SysWOW64\Oohkai32.exe	Nfpghccm.exe
File created	C:\Windows\SysWOW64\Cjbdmo32.dll	Lhmafcnf.exe
File opened for modification	C:\Windows\SysWOW64\Nomlek32.exe	Nlnpio32.exe
File created	C:\Windows\SysWOW64\Gpmmbfem.dll	Idhiii32.exe
File opened for modification	C:\Windows\SysWOW64\Ocknbglo.exe	Omaeem32.exe
File created	C:\Windows\SysWOW64\Qebeaf32.dll	Pcijce32.exe
File opened for modification	C:\Windows\SysWOW64\Pecpknke.exe	Pbddobla.exe
File opened for modification	C:\Windows\SysWOW64\Jddiegbm.exe	Jogqlpde.exe
File created	C:\Windows\SysWOW64\Cbgabh32.dll	Mllccpfj.exe
File created	C:\Windows\SysWOW64\Bhejfl32.dll	Mkocol32.exe
File created	C:\Windows\SysWOW64\Gcdfnq32.dll	Ohqpjo32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljbmkd.exe	Jnnnfalp.exe
File opened for modification	C:\Windows\SysWOW64\Jnbgaa32.exe	Jdmcdhhe.exe
File created	C:\Windows\SysWOW64\Nomlek32.exe	Nlnpio32.exe
File opened for modification	C:\Windows\SysWOW64\Qpbgnecp.exe	Qkfkng32.exe
File opened for modification	C:\Windows\SysWOW64\Aimhmkgn.exe	Abcppq32.exe
File created	C:\Windows\SysWOW64\Ijpepcfj.exe	Icfmci32.exe
File created	C:\Windows\SysWOW64\Ncloojfj.dll	Pdqcenmg.exe
File opened for modification	C:\Windows\SysWOW64\Kemhei32.exe	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Kkacdofa.dll	Oloipmfd.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Infhebbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpchaqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcoepkdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obidcdfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhmafcnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajokiaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moalil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkjjdmaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inidkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnaaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdhbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhgmcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oloipmfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhfknjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jogqlpde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbcedmnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhpnlclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlgbon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgqopeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b01ff2d641faa49b7eac06e6c3846090N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibgmaqfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllccpfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnpio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nheqnpjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndlacapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohqpjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfncia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaljbmkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjihfbno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolcnman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomncfge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qejfkmem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keceoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mepnaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijpepcfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idhiii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnnnfalp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maoifh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Napameoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdqcenmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbgnecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcncodki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iholohii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jelonkph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkocol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noaeqjpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbppgona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkcmjlio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcjldk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oohkai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlanpfkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkegbpca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdmlkfjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdalog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbkac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbdkhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnlim32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaljbmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifiamoa.dll"	Mebkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogcho32.dll"	Pecpknke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlanpfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcoepkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohqpjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhodke32.dll"	Keceoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcjldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohqpjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbphca32.dll"	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnmfk32.dll"	Mahklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mllccpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iloajfml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckjdhni.dll"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khkdad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbcedmnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnbgaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nheqnpjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhbkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcdhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffcf32.dll"	Lcjldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcmpceo.dll"	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhejfl32.dll"	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddogn32.dll"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdkqcmb.dll"	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkbdql32.dll"	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoeiajc.dll"	Pbddobla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mohbjkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenflo32.dll"	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhomdeb.dll"	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Moalil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdghfg32.dll"	Mcoepkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgabh32.dll"	Mllccpfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b01ff2d641faa49b7eac06e6c3846090N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhfnche.dll"	Ndnnianm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohhfknjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdmlkfjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Napameoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbddobla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlemcq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2628	2036	b01ff2d641faa49b7eac06e6c3846090N.exe	92
PID 2036 wrote to memory of 2628	2036	b01ff2d641faa49b7eac06e6c3846090N.exe	92
PID 2036 wrote to memory of 2628	2036	b01ff2d641faa49b7eac06e6c3846090N.exe	92
PID 2628 wrote to memory of 2220	2628	Infhebbh.exe	93
PID 2628 wrote to memory of 2220	2628	Infhebbh.exe	93
PID 2628 wrote to memory of 2220	2628	Infhebbh.exe	93
PID 2220 wrote to memory of 732	2220	Iccpniqp.exe	94
PID 2220 wrote to memory of 732	2220	Iccpniqp.exe	94
PID 2220 wrote to memory of 732	2220	Iccpniqp.exe	94
PID 732 wrote to memory of 4972	732	Iholohii.exe	95
PID 732 wrote to memory of 4972	732	Iholohii.exe	95
PID 732 wrote to memory of 4972	732	Iholohii.exe	95
PID 4972 wrote to memory of 2992	4972	Inidkb32.exe	96
PID 4972 wrote to memory of 2992	4972	Inidkb32.exe	96
PID 4972 wrote to memory of 2992	4972	Inidkb32.exe	96
PID 2992 wrote to memory of 2740	2992	Icfmci32.exe	97
PID 2992 wrote to memory of 2740	2992	Icfmci32.exe	97
PID 2992 wrote to memory of 2740	2992	Icfmci32.exe	97
PID 2740 wrote to memory of 3336	2740	Ijpepcfj.exe	98
PID 2740 wrote to memory of 3336	2740	Ijpepcfj.exe	98
PID 2740 wrote to memory of 3336	2740	Ijpepcfj.exe	98
PID 3336 wrote to memory of 4776	3336	Ibgmaqfl.exe	99
PID 3336 wrote to memory of 4776	3336	Ibgmaqfl.exe	99
PID 3336 wrote to memory of 4776	3336	Ibgmaqfl.exe	99
PID 4776 wrote to memory of 4584	4776	Idhiii32.exe	100
PID 4776 wrote to memory of 4584	4776	Idhiii32.exe	100
PID 4776 wrote to memory of 4584	4776	Idhiii32.exe	100
PID 4584 wrote to memory of 3724	4584	Iloajfml.exe	101
PID 4584 wrote to memory of 3724	4584	Iloajfml.exe	101
PID 4584 wrote to memory of 3724	4584	Iloajfml.exe	101
PID 3724 wrote to memory of 4560	3724	Jnnnfalp.exe	102
PID 3724 wrote to memory of 4560	3724	Jnnnfalp.exe	102
PID 3724 wrote to memory of 4560	3724	Jnnnfalp.exe	102
PID 4560 wrote to memory of 1824	4560	Jaljbmkd.exe	103
PID 4560 wrote to memory of 1824	4560	Jaljbmkd.exe	103
PID 4560 wrote to memory of 1824	4560	Jaljbmkd.exe	103
PID 1824 wrote to memory of 2576	1824	Jlanpfkj.exe	104
PID 1824 wrote to memory of 2576	1824	Jlanpfkj.exe	104
PID 1824 wrote to memory of 2576	1824	Jlanpfkj.exe	104
PID 2576 wrote to memory of 3180	2576	Jblflp32.exe	105
PID 2576 wrote to memory of 3180	2576	Jblflp32.exe	105
PID 2576 wrote to memory of 3180	2576	Jblflp32.exe	105
PID 3180 wrote to memory of 4740	3180	Jdmcdhhe.exe	106
PID 3180 wrote to memory of 4740	3180	Jdmcdhhe.exe	106
PID 3180 wrote to memory of 4740	3180	Jdmcdhhe.exe	106
PID 4740 wrote to memory of 1128	4740	Jnbgaa32.exe	108
PID 4740 wrote to memory of 1128	4740	Jnbgaa32.exe	108
PID 4740 wrote to memory of 1128	4740	Jnbgaa32.exe	108
PID 1128 wrote to memory of 452	1128	Jelonkph.exe	109
PID 1128 wrote to memory of 452	1128	Jelonkph.exe	109
PID 1128 wrote to memory of 452	1128	Jelonkph.exe	109
PID 452 wrote to memory of 2080	452	Jjihfbno.exe	110
PID 452 wrote to memory of 2080	452	Jjihfbno.exe	110
PID 452 wrote to memory of 2080	452	Jjihfbno.exe	110
PID 2080 wrote to memory of 2456	2080	Jbppgona.exe	111
PID 2080 wrote to memory of 2456	2080	Jbppgona.exe	111
PID 2080 wrote to memory of 2456	2080	Jbppgona.exe	111
PID 2456 wrote to memory of 5040	2456	Jdalog32.exe	113
PID 2456 wrote to memory of 5040	2456	Jdalog32.exe	113
PID 2456 wrote to memory of 5040	2456	Jdalog32.exe	113
PID 5040 wrote to memory of 4048	5040	Jogqlpde.exe	114
PID 5040 wrote to memory of 4048	5040	Jogqlpde.exe	114
PID 5040 wrote to memory of 4048	5040	Jogqlpde.exe	114
PID 4048 wrote to memory of 3372	4048	Jddiegbm.exe	115

C:\Users\Admin\AppData\Local\Temp\b01ff2d641faa49b7eac06e6c3846090N.exe
"C:\Users\Admin\AppData\Local\Temp\b01ff2d641faa49b7eac06e6c3846090N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\Infhebbh.exe
  C:\Windows\system32\Infhebbh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\Iccpniqp.exe
    C:\Windows\system32\Iccpniqp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\SysWOW64\Iholohii.exe
      C:\Windows\system32\Iholohii.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:732
    - - C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
      - C:\Windows\SysWOW64\Icfmci32.exe
        
        C:\Windows\system32\Icfmci32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Iloajfml.exe
        
        C:\Windows\system32\Iloajfml.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Jddiegbm.exe
        
        C:\Windows\system32\Jddiegbm.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        25⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        28⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        29⤵
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        33⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3816
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\Lhdggb32.exe
        
        C:\Windows\system32\Lhdggb32.exe
        49⤵
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\Llpchaqg.exe
        
        C:\Windows\system32\Llpchaqg.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Lcjldk32.exe
        
        C:\Windows\system32\Lcjldk32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Ldkhlcnb.exe
        
        C:\Windows\system32\Ldkhlcnb.exe
        52⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\SysWOW64\Mlbpma32.exe
        
        C:\Windows\system32\Mlbpma32.exe
        53⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Moalil32.exe
        
        C:\Windows\system32\Moalil32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\Mhiabbdi.exe
        
        C:\Windows\system32\Mhiabbdi.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Memalfcb.exe
        
        C:\Windows\system32\Memalfcb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        61⤵
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5152
        
        C:\Windows\SysWOW64\Mepnaf32.exe
        
        C:\Windows\system32\Mepnaf32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5260
        
        C:\Windows\SysWOW64\Mohbjkgp.exe
        
        C:\Windows\system32\Mohbjkgp.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        67⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Mllccpfj.exe
        
        C:\Windows\system32\Mllccpfj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        70⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        71⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        83⤵
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Nbbnbemf.exe
        
        C:\Windows\system32\Nbbnbemf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3880
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        88⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        91⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        99⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        106⤵
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        108⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        113⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        117⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        119⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6192
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:6252
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        122⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        123⤵
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        125⤵
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6516
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6564
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6624
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6700
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6764
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        131⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        132⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6984
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7048
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        136⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        137⤵
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6232
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6308
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        141⤵
        Drops file in System32 directory
        
        PID:6368
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        142⤵
        
        PID:6512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3032,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=1288 /prefetch:8
1⤵
PID:6860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ibgmaqfl.exe

Filesize
64KB

MD5
0b695aef7481d10892196fe580020c8b

SHA1
a7b89aae0ccc0170ba73beab93adf123dcb35afb

SHA256
b0730fb9cf6d964071630f836b312c83d9feb33f21dcaa2b7776b1fdfd0ddc61

SHA512
ecf2a149c432d3de1baf63ea111cc27abfa18fadf5f7353184c1272089dab3ce449df985bfe5b8fce9e28319a434e87a1345617acd2c0e955a249dde2ce92ed4

Download Submit
C:\Windows\SysWOW64\Iccpniqp.exe

Filesize
64KB

MD5
d20a2a2ce11d37225d268718c7aa5a7d

SHA1
d97953f97bba19a4c50961871a72d7b4c047b950

SHA256
fe0dc657701f86f2c1cc5abd4c7efef9ecf2bdb7ec8798489c07b6a4a4439556

SHA512
f5e3113d6132ddc6e7a0800664ca73c33922e608668610d6d5cf1767d8482fa0061ba10812bd7a9ec709e0b64078fee7d03581e61aa66746d35e5e58699d5823

Download Submit
C:\Windows\SysWOW64\Icfmci32.exe

Filesize
64KB

MD5
9253a037072cd946592dff3f2ff5e6bf

SHA1
45b4124bb722f33306db20e24d245a6b691e9720

SHA256
0926eca6d80c15602cfa5bcbc3b3c87e2dacabf04dfce5564e225fc12b274d6e

SHA512
6f3fecd50ad0f2399294af588a0968c80308313fe9256e34487e9699e5c0ab41983aecf6f8b8084604e32bbf1b9c11ea64e7ff855bd093a9e41c82b26ec57310

Download Submit
C:\Windows\SysWOW64\Idhiii32.exe

Filesize
64KB

MD5
27c11e78774794aef09535fb4f0da187

SHA1
7bee88978d15b30816034125b9ea7b03f0796c6b

SHA256
f6c385aed4c19fef82499ba7e270f957286513221162edc2dd0aecb107ed4d2b

SHA512
d114958765fc9ffc243c7c7653a4384fd702905f6274f6b41a86fca50c28df9d633b58c58a153bb2b3bbdf19bedd90a70832640b2639566823ee1f38a24b768d

Download Submit
C:\Windows\SysWOW64\Iholohii.exe

Filesize
64KB

MD5
831ff866a337cf8c3fcf0a4f66bfa45f

SHA1
9462406c00498347394af70e5d7ab60787f8a9d4

SHA256
a92643c3f6da3ac53202fdaad2b619ca03f7a0863f642225e7caddb002d10dc6

SHA512
273a85fbcef90c3dea2e33977e1ee627a597704a2b079e7462e7b16f07af3858d1948d29fc0c6d37d5c8d12309c18a8e5d5873de7a2806b62a3b4bb941c7b3f4

Download Submit
C:\Windows\SysWOW64\Ijpepcfj.exe

Filesize
64KB

MD5
9f7e5d5d84ba1f8ce65e45931428c11e

SHA1
429bc3eb40f36f0ad46878f6d41ccd19a4e86d28

SHA256
be00adeeedb5e64e64fe8924dd63d627707c75f03b2b0cb0e7043434873a47c9

SHA512
9fe0494c0f28d48e01159bf9850d974b899823d28fd64ff2485ae29481d7f7938131fd34d4a3d38a6f915b7fc99bc613c6bdbc1dd023acd5344df1f75d2be2b6

Download Submit
C:\Windows\SysWOW64\Iloajfml.exe

Filesize
64KB

MD5
fec848f2eee5278e6aeee08d1145d8c5

SHA1
5b824937831f94624368c3613d702108d29fadd9

SHA256
071c92df62646bfa69f8921f40b9cf8ac44b893a9af72940177d1c3610f2d90e

SHA512
7680c85335634646315cb5b72755f1bde175c34b9929e4bc8f00e05e3a2a763410b09138ca75b1e0ade2b51440a32a32e8156ce3b0977b22b70aaff47f68b4d4

Download Submit
C:\Windows\SysWOW64\Infhebbh.exe

Filesize
64KB

MD5
8a9ddd875b954939d6fb65c85f9e0e24

SHA1
07746bea1aa6696837cdb3f1cd3d849f349019b2

SHA256
45150ce87f77b86af23e0747ca1a971e5bd74ef1818105c4e3a0d9ebad138257

SHA512
b78ff33af1570197d0ea06edeec474eee9b64cc55670400a4eb9f4c6b40189793946b48470755e77cfb88b34de3b360241055503d68231fadc6a7f7c45d88a27

Download Submit
C:\Windows\SysWOW64\Inidkb32.exe

Filesize
64KB

MD5
01b2d236d588dc88b002f890cbf7cfd5

SHA1
86f241c866e0ef9b2562c897aa7efef496cd9f1f

SHA256
d1106533e25864610939a52e2365f246eda65e7104c6938d91f8f6abc21fface

SHA512
dcd07c284ddd90d541d22d1438937706cf7a1ad32ce3871ba9c346bf071211a6cd1b145c82213ac8987f7bd84a191352836088424fbc13f7681d21ef3cab1dd4

Download Submit
C:\Windows\SysWOW64\Jaljbmkd.exe

Filesize
64KB

MD5
deb2666866855f01c8478eef12322f1a

SHA1
ffd1d45e0a9bb30ea5460dcb5ac8043ceb177e52

SHA256
87c5bf871bc5c08c8f4e1d1da5378cdba03a8dd9d7a44f7f92c4487aa689d0cd

SHA512
f5a3eade0a3cdc81075e39cfcaf02a9a28e1a0e35296059a2c972cf9767bae6822a96bc9b31b3c0dad3f4a30c0094452f87f84188093c1d672339411f26011ea

Download Submit
C:\Windows\SysWOW64\Jblflp32.exe

Filesize
64KB

MD5
5bdbd2ebf762dbe50fb55a187ced3e3b

SHA1
7e16af4ecf2c7e16df82f56277b47797ba2aaa2b

SHA256
6e6936379833691a3f66f45d2fd7afb94b13649ab101e0f69f8b2c94072cd3d6

SHA512
5b85cdadf86aedcebad05570843551bd1c141245f66bd54f8e7463e37c394584a951af65a3ec5972e2d3515b03bae973d73468dbdab0f551764f78935d917aa8

Download Submit
C:\Windows\SysWOW64\Jbppgona.exe

Filesize
64KB

MD5
5038b780904ecf5773b13ce5421422f9

SHA1
4318c149e1559b6b3ba1061bccd390df2458443a

SHA256
e4ee02d920915404af0eaec120c43f285d6cf8a5ab378f3c9747553ff15a12e5

SHA512
5e194c3b5fd81c1385e53cf119c153020a6258ff78fd71786397e2b79c9a06f70ba3a5e1a13178d3f971ad709f79424e7f65dbe4be9f46e034df133803f15785

Download Submit
C:\Windows\SysWOW64\Jdalog32.exe

Filesize
64KB

MD5
3686ecad7fdc4a2ebd155feac0a8017f

SHA1
1dd72f0f3c3810b43f4ce19b1a64a9de9e919a2e

SHA256
791d9de24ee6483b4982c2a9be9b666bdcefd7a78bae80c972f80e6c8c816a42

SHA512
7a4b0b753a5b8815c47e7381388a105d1154957795da4a43d7af532f0861ce19345e7106dde29a91eddd7c7c51ef4b824630c98b016880cf4109d33afa15b8ac

Download Submit
C:\Windows\SysWOW64\Jddiegbm.exe

Filesize
64KB

MD5
c728d72223ef047bbf5565e30308d4e0

SHA1
194906e1adb148536e01a2c1a9f6b59932a953e9

SHA256
1d4883b4fd1955a226a9288a223d266882e71d37ea5bb5e5190899f36523f937

SHA512
6733a8d4c3e564816fbc59952cd06c2021e44664e4ff4d58e06651c583346634d82125fa75d34779c69256fc925f623645543c3aaee555ba54d2f6d6170ea593

Download Submit
C:\Windows\SysWOW64\Jdmcdhhe.exe

Filesize
64KB

MD5
07020a2dfee22818d85736a54ea01efc

SHA1
b0f768b467f4e235c92d03c10878c08629dc1797

SHA256
5edeb1d54d4c55f97e0b79d300521c0c8b314ef5e8090b62c81b6105bacc37aa

SHA512
012af0b20b89db590f3eae73483223bad7141b2b7513fb3391ce9b0d00dd6499b19fd249576f36bd49745950752c131478f958bc7fc1a5eff4c62a362555c5ca

Download Submit
C:\Windows\SysWOW64\Jelonkph.exe

Filesize
64KB

MD5
587603d264c792c6448527653b52649f

SHA1
f930e2551658637ef35468edfc056b8deed77ca7

SHA256
dcc9dad43314a2fc9457a456ec422647cff5e4b3bcbb892a3f8badca3ec73ba1

SHA512
b1648888d21cec4f656e008d57b183ef44473f23650815988c80a33fb3f4f18c86ac13de1b1b349b8f6246c369083e6ab1deb6d49ebd57158208908b12a96ba0

Download Submit
C:\Windows\SysWOW64\Jjihfbno.exe

Filesize
64KB

MD5
9ebf2e599f97f1d3f95517234ece3306

SHA1
48229c7a038cb3c81892910c188b61e00adbb438

SHA256
e06b7fe85e3bb315b1bafbfe80a04bd8f53682886d7df69091d7b5b5663d9ec3

SHA512
f22bd0b71427e8eaa1e8b1a11d4dee3c236030608330a3affce6a8ef23c82f07c62c3daef1cc7a00b509a8a4dab4d018b8ebf881800d482c74a3bbeccbe0b074

Download Submit
C:\Windows\SysWOW64\Jjnaaa32.exe

Filesize
64KB

MD5
82ab3de25a2326a2bc877379fc207237

SHA1
7d4f24c72d27107009f72158b314e992c93e0005

SHA256
b794cbc404d41364678babb009d97fdd01011a803b7a03480e636eb006fbcc58

SHA512
b18d6de778cb52a2c26580dec64f6f40c3020ddc5a6fdd44c426fc82de8a4a7cc7c4eae4d82764f4f16574a00bef1e6de35467de1d2f7845b7d4a967cad4a774

Download Submit
C:\Windows\SysWOW64\Jlanpfkj.exe

Filesize
64KB

MD5
e689d52042cee7bf64c47ddfb79404f6

SHA1
2a9f125eb42bc4638872ecf695bdd389f408394e

SHA256
cb4c011106913329424a5d19aca5f0fc33685b49f7021937616aa75da8798ead

SHA512
a141cb0dcde029930bdac27574f545e801c718048cd018606b0cbfa778ef12f229439458b136427bb482dd2f5c523ea609222466784f1e1f62573871b244ac02

Download Submit
C:\Windows\SysWOW64\Jnbgaa32.exe

Filesize
64KB

MD5
9ddd16d2efdc36d03ef6b73fffd9fe10

SHA1
03adf198229fe00bc4d486d62132715a7751420d

SHA256
0003af94ad70716a2e10e57dfa264256090f94f65cdfb311576c146818239ba8

SHA512
19d9b5d7badcd4f8d7c071af16c251673866d0fb689635542814980e811e05a186f87bb37a4aaba88bd510f6ea02cd43b21e3a472c3e04553291b5346a6925ec

Download Submit
C:\Windows\SysWOW64\Jnnnfalp.exe

Filesize
64KB

MD5
c3f89e460ec700899aa800136750a541

SHA1
499a7a5ab730313725e96623431065bd42a1bbff

SHA256
0225861a8e411ed1fb5465afc18398a6c35936e6be55160d13409c7095867497

SHA512
1e789b5c61882d8de5075935f15ad54f16f83415b337def44d1343e52ceef22cf14d047a4728ab91117ece3ce2899dba663cb799e66779e5fbbf01897abb7bf7

Download Submit
C:\Windows\SysWOW64\Jogqlpde.exe

Filesize
64KB

MD5
0f227e03bc08878b2894bf98ba408916

SHA1
398f1daf950558c63232d95b7479642e5b3647dd

SHA256
dfaa00f9b42c9196516268888d772dffa8313ac85e08d8b40dc6388cdb130637

SHA512
837c866ac42c0f46d8a6217b16cb704960afed855b5dfa47f4a3cfc6cb7ff7bbdda3e31e9308f96fbf4b4e1bad1c6fbf55ea3ed3ac07e1d08ea6f5f35b3ff96b

Download Submit
C:\Windows\SysWOW64\Kalcik32.exe

Filesize
64KB

MD5
7c7b64e7b91aee9591d8bf475f056321

SHA1
efb47b6d915d8dbbf2d3ee10ecd0a82b8b413d7f

SHA256
54d1ddd3b95b80054c28ab16af7ea3f5b11db4014c42ce2191a1137823c2832f

SHA512
5fcae72d113154eb7f29c58da49c99b888129ff0bdea167627e5c12ed242277325728baa7983ab1d87c0c0471cc6742624441bbbf645e69a506c98c6108a93ed

Download Submit
C:\Windows\SysWOW64\Kbgfhnhi.exe

Filesize
64KB

MD5
6e530d340b8f7bea9ce8c7163bd0d70c

SHA1
319bddea6a7068c99cf2463ad95238afaf1cdc09

SHA256
ecd637f94eafa90ef7b3fe5092eb8060586497487c1e594f5d351116ddd8e833

SHA512
01bdd5094b26446b1fe7c51ca334e780f1740f80d0c0faaaaee8ab577936e86839b9e33a515a59ce210f132e21c97f019b78cb62589d3e2a78a9fe745acd82f1

Download Submit
C:\Windows\SysWOW64\Kdhbpf32.exe

Filesize
64KB

MD5
e460bc434736d79f4a309a8ffa7859d4

SHA1
2e070d80b4c3a6b756451e9bcd591c05367db066

SHA256
35b91e41828cb70ce32c6e30500bd26b2b90e70fb8f662aca730bec76409406f

SHA512
7300aa42c6e66b89f747cb32851a58413a0afcffcf0a8e9ea758e90dd4fa0e8ce49d4396a8417e0d8dc5d2ac170b8c87e7c0cb3885b588901051ebb44be0af39

Download Submit
C:\Windows\SysWOW64\Kdkoef32.exe

Filesize
64KB

MD5
cb9122042e51a0f7176ee872cdf0b04f

SHA1
aa19df5ca1143c86553e82972ef901480f1d3332

SHA256
a8e3cd73fe6be9827d768f64c3aa557dfe40291b8e7c8df8d657799cd7a4ee58

SHA512
9f7b997fe3299a22a7211813c32c4711fedac8e108e35fe252b547fa2c129dfce9216bf0968dd213ace301f7f9c494ecb169d4242cabc2f8b63dfed267be098b

Download Submit
C:\Windows\SysWOW64\Kdmlkfjb.exe

Filesize
64KB

MD5
435e4908a47db0aa69e154ba6d888ac4

SHA1
58f7b124d2d54eb3b33e4e6c85a6638857a75cf7

SHA256
4adb19f797fed5c6d0325d64cc86b2eaac3969a13a821aa1b4bbddde1ffa5682

SHA512
fdc4f874fb2d075c3753b4417ea0dc4fd03de0bb1e03c16f977f8fb0fcfc866345cf39b5c8cb33e7d32424600851f75c2611055f1d76b9314d34290398334057

Download Submit
C:\Windows\SysWOW64\Keceoj32.exe

Filesize
64KB

MD5
ed267b35d3683b7f27d4b32c767ca7d3

SHA1
3dd3ab78164008dd82dd65844da5658812a8ccb1

SHA256
03a003de0e052925281da07c41a527e22a8294090c4ecb4f1a0db741bf3be3c3

SHA512
5311f0288533ac323364a8fc928d5d313e5a8ed848a641b4750b570603d0c16fcd7767a5a5e5699b6b229d8b96c0cc703550e95df64c7f464a0782f5f36a3e66

Download Submit
C:\Windows\SysWOW64\Kkegbpca.exe

Filesize
64KB

MD5
5ae69116d99827d15522b01bc3e58a35

SHA1
e9eba0a708442a301335514f232ef2b336103dc1

SHA256
2aea38c0a74089ebd16993f77aa7b59741258d8334c646960f0b807109a760b2

SHA512
4dad83a4c5349193d79fa8669107ee287b1023159c6c5fc7632e663a34bd645f95b69673b6f226b738bb12debe2889cb1033c8f729241bebbe3d1c6e7fcd1898

Download Submit
C:\Windows\SysWOW64\Kkpnga32.exe

Filesize
64KB

MD5
b7e10df322173b618f8e0359162296a9

SHA1
e4d106f2c466faff17bddd6bc667ea18b8adbd1d

SHA256
582c262d1e4d4a66c882e15806d5ab488834d06516866a4cfef176bd8dad3b8d

SHA512
7597cf106d2b10657aadcc9c4bd7309e97bba4f9a0bae749de516fe82fc473666e41999ab7609442a29474c432635f35ea68bb1ef8568e1dfa0e3b24cf82b9bf

Download Submit
C:\Windows\SysWOW64\Klddlckd.exe

Filesize
64KB

MD5
a54644c77d4a21285d747bb1fd40ad82

SHA1
690fc9c2af6e3f19af573279803d201a93c60085

SHA256
74c9067e7eb7e9b1dd023453471dcafa9b3999aeafaef25ad593be4a802452f1

SHA512
81fa824d5be6325ddaee2fe45c6e13e07577d33bb372fc1e7a162f0afba956be0dd14cc017f872c2e53452fad9776f6f9ff5ba508324abc753f066c5764ef9e0

Download Submit
C:\Windows\SysWOW64\Klpjad32.exe

Filesize
64KB

MD5
50e9032a1551d2ddb1a7552053a0ae11

SHA1
e861509294263ce68f5e27c8f213fca1f049fe5f

SHA256
062ee670ce401aa1a020b3701f15590eb228b485fb01e2d91d18d23762ff39d7

SHA512
66e0224df8b30535a27325d70795ebd4abf4d92c52f6def4dd3e2c000e0aca2595d1b1dfcc2b52c24cd475943c54676490cebd73484f1a495a2d13f3e253baea

Download Submit
C:\Windows\SysWOW64\Odjmdocp.exe

Filesize
64KB

MD5
7842469eb4f68a7b0c59d776727e73f3

SHA1
d3114dc7ad4cf3b3a60600fd98f44aaa6873b890

SHA256
5ea300821c46d5347b83fcffece01816ad397a564d5dba003296f5c0fcf6ef3f

SHA512
b5cae7bd04aef148e36135db7cd0bb77929f9707b058f9264464a497e6fa97d025c35fb063c5cc1b2ae61d92f97f5c23d64f48fc3b5d841439a335fdb0b89d51

Download Submit
C:\Windows\SysWOW64\Pkklbh32.exe

Filesize
64KB

MD5
116214a2c36b414e3ba3264640d71bdf

SHA1
6942a738736b0f401f513379897200e8d5a11daa

SHA256
bc8bda8d793392379ca057e7696464af52c1cd019dec8665b022e8f6fcdd3de6

SHA512
6e82f1caea02a2656ddb89f8dfa06ca1970f2c75f1b7fc75e3de06a3c964416afadea6ecfb6e1da0a201f1beeaa87b320e4520f49b90aea3c5e2d1cc5cf1e81a

Download Submit
C:\Windows\SysWOW64\Pmjhlklg.exe

Filesize
64KB

MD5
af99f031d0adec4eabde21542fc8219b

SHA1
26c4cbd9df4cbf945eb7b5db371392e51a99cf72

SHA256
e8b3e43379bd97b0f0e5cbd181106256e62c024b2824ee4f8e90c5eb539798a4

SHA512
3cd055ecfe619337fae4261f0cdc907cc1f0f82965990ea140c2a2bcb08fdf92329e1e87738065c9b909bd6152a627260ca07dcba306d08546a6b4d990e7c062

Download Submit
memory/392-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-4-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2036-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-603-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5152-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5172-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5200-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5260-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5308-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5312-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5360-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5384-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5400-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5440-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5472-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5516-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5568-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5608-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5648-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5688-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5736-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5772-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5816-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5860-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5900-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5952-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5992-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6040-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6084-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6120-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads