fe72ac48d38282bc6a1d9a2b947196722aa9e14267c34be12d69982351b83294

Analysis

max time kernel
137s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe72ac48d38282bc6a1d9a2b947196722aa9e14267c34be12d69982351b83294.exe
Size

1.2MB
MD5

fc3529a3c910ec908f806713886be000
SHA1

668b47a0a8d5096db079fd752c42d594845659af
SHA256

fe72ac48d38282bc6a1d9a2b947196722aa9e14267c34be12d69982351b83294
SHA512

b2ac7c6b96037a5c87921f86a13eb7c845305dd93e036894f7483c4ee54b2ef8c7d95ea78963a441d4a67cfeaad0e8e99eb1562c56a1f9b94291e82b0165df21
SSDEEP

12288:9rgJVYlFiWZCXwpnsKvNA+XTvZHWuEo3oWiQ4ca:CVYlFiWZpsKv2EvZHp3oWiQ4ca

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbonoghb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apggckbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oiccje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bboffejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibegfglj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikoopij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kplmliko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqgojmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afappe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aagdnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enopghee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmjqe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhffg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgklmacf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjffpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahfkimd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadghn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjhkmbho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bipecnkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cancekeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbgjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qapnmopa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqgojmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjhkmbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmhhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eahobg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocgbend.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qikbaaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabkbono.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daollh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipihpkkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgdkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qikbaaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahfkimd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpopbepi.exe

Executes dropped EXE 64 IoCs

pid	Process
3368	Ilfennic.exe
4384	Iafkld32.exe
3228	Ibegfglj.exe
5080	Ieccbbkn.exe
3952	Ihbponja.exe
3820	Ipihpkkd.exe
4464	Jbagbebm.exe
2108	Jikoopij.exe
1152	Kplmliko.exe
532	Kocgbend.exe
1136	Kofdhd32.exe
5064	Lepleocn.exe
4740	Ljpaqmgb.exe
4680	Ljbnfleo.exe
2080	Llqjbhdc.exe
1676	Mofmobmo.exe
2388	Mlljnf32.exe
3780	Mokfja32.exe
1348	Mjpjgj32.exe
4440	Mlofcf32.exe
4492	Nfqnbjfi.exe
3720	Ookoaokf.exe
1316	Oiccje32.exe
4400	Oqklkbbi.exe
1880	Ocihgnam.exe
1656	Pimfpc32.exe
3604	Pfccogfc.exe
5008	Pplhhm32.exe
3052	Pbjddh32.exe
2372	Pjaleemj.exe
3404	Pmphaaln.exe
3884	Pciqnk32.exe
5100	Pmbegqjk.exe
1896	Qppaclio.exe
3724	Qbonoghb.exe
2236	Qjffpe32.exe
756	Qiiflaoo.exe
1464	Qapnmopa.exe
4460	Qcnjijoe.exe
640	Qfmfefni.exe
3920	Qikbaaml.exe
3608	Aabkbono.exe
5016	Acqgojmb.exe
1812	Afockelf.exe
2924	Aimogakj.exe
3620	Aadghn32.exe
1620	Apggckbf.exe
1592	Afappe32.exe
4884	Aiplmq32.exe
4020	Aagdnn32.exe
2440	Adepji32.exe
3180	Afcmfe32.exe
3632	Aibibp32.exe
3376	Aaiqcnhg.exe
5160	Abjmkf32.exe
5200	Aidehpea.exe
5240	Ampaho32.exe
5280	Apnndj32.exe
5320	Abmjqe32.exe
5360	Ajdbac32.exe
5400	Bmbnnn32.exe
5440	Bpqjjjjl.exe
5480	Bboffejp.exe
5520	Bjfogbjb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Npakijcp.dll	Llqjbhdc.exe
File created	C:\Windows\SysWOW64\Aibibp32.exe	Afcmfe32.exe
File opened for modification	C:\Windows\SysWOW64\Ekimjn32.exe	Ecbeip32.exe
File opened for modification	C:\Windows\SysWOW64\Ejagaj32.exe	Egbken32.exe
File created	C:\Windows\SysWOW64\Llqjbhdc.exe	Ljbnfleo.exe
File created	C:\Windows\SysWOW64\Pimfpc32.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Acqgojmb.exe	Aabkbono.exe
File created	C:\Windows\SysWOW64\Ncmkcc32.dll	Apggckbf.exe
File created	C:\Windows\SysWOW64\Oqklkbbi.exe	Oiccje32.exe
File created	C:\Windows\SysWOW64\Ampaho32.exe	Aidehpea.exe
File opened for modification	C:\Windows\SysWOW64\Cildom32.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Bigpblgh.dll	Ccdihbgg.exe
File opened for modification	C:\Windows\SysWOW64\Ocihgnam.exe	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Dcffnbee.exe	Daeifj32.exe
File opened for modification	C:\Windows\SysWOW64\Pimfpc32.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Pafpga32.dll	Qapnmopa.exe
File opened for modification	C:\Windows\SysWOW64\Bfolacnc.exe	Bdapehop.exe
File opened for modification	C:\Windows\SysWOW64\Ihbponja.exe	Ieccbbkn.exe
File opened for modification	C:\Windows\SysWOW64\Bjhkmbho.exe	Bbaclegm.exe
File opened for modification	C:\Windows\SysWOW64\Ephbhd32.exe	Enjfli32.exe
File created	C:\Windows\SysWOW64\Jodamh32.dll	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Cancekeo.exe	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Elkodmbe.dll	Dickplko.exe
File created	C:\Windows\SysWOW64\Gpkehj32.dll	Abjmkf32.exe
File created	C:\Windows\SysWOW64\Dalofi32.exe	Dkbgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbnnn32.exe	Ajdbac32.exe
File opened for modification	C:\Windows\SysWOW64\Eaaiahei.exe	Ejjaqk32.exe
File opened for modification	C:\Windows\SysWOW64\Ecbeip32.exe	Eaaiahei.exe
File created	C:\Windows\SysWOW64\Fnffhgon.exe	Fcpakn32.exe
File opened for modification	C:\Windows\SysWOW64\Qppaclio.exe	Pmbegqjk.exe
File created	C:\Windows\SysWOW64\Bfolacnc.exe	Bdapehop.exe
File created	C:\Windows\SysWOW64\Dpagekkf.dll	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Ieccbbkn.exe	Ibegfglj.exe
File created	C:\Windows\SysWOW64\Cdolgfbp.exe	Caqpkjcl.exe
File opened for modification	C:\Windows\SysWOW64\Enjfli32.exe	Epffbd32.exe
File opened for modification	C:\Windows\SysWOW64\Fcpakn32.exe	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Jhhnfh32.dll	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Mlkhbi32.dll	Ilfennic.exe
File created	C:\Windows\SysWOW64\Djkpla32.dll	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Bmggingc.exe	Bjhkmbho.exe
File created	C:\Windows\SysWOW64\Fiplni32.dll	Cgklmacf.exe
File created	C:\Windows\SysWOW64\Mmmncpmp.dll	Ieccbbkn.exe
File created	C:\Windows\SysWOW64\Mfnlgh32.dll	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Ihbponja.exe	Ieccbbkn.exe
File opened for modification	C:\Windows\SysWOW64\Aimogakj.exe	Afockelf.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Qppaclio.exe	Pmbegqjk.exe
File created	C:\Windows\SysWOW64\Hdedgjno.dll	Dcffnbee.exe
File opened for modification	C:\Windows\SysWOW64\Ddfbgelh.exe	Dahfkimd.exe
File created	C:\Windows\SysWOW64\Nhbjnc32.dll	Ephbhd32.exe
File created	C:\Windows\SysWOW64\Bpldbefn.dll	Nfqnbjfi.exe
File opened for modification	C:\Windows\SysWOW64\Qbonoghb.exe	Qppaclio.exe
File created	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Kpmmljnd.dll	Ipihpkkd.exe
File created	C:\Windows\SysWOW64\Ncjakdno.dll	Kocgbend.exe
File opened for modification	C:\Windows\SysWOW64\Ampaho32.exe	Aidehpea.exe
File created	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fkjfakng.exe
File created	C:\Windows\SysWOW64\Kocgbend.exe	Kplmliko.exe
File created	C:\Windows\SysWOW64\Cildom32.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Famhmfkl.exe	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Ocihgnam.exe	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Olqjha32.dll	Aagdnn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6176	7100	WerFault.exe	239

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgmhcaac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daeifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejjaqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepleocn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmbegqjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpedeiff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Binhnomg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagmdllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikoopij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmfefni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afcmfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dajbaika.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjffpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddfbgelh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egbken32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqklkbbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiplmq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apnndj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bboffejp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epffbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhffg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cildom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaaiahei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlofcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfogbjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbaclegm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphqji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipecnkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcnjijoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampaho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpogkhnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacmpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppaclio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnnimak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekimjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enopghee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pciqnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cancekeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjaleemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdemb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbncapd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmcgcmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fclhpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pimfpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfccogfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmdkcnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplmliko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajjjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkjfakng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfqnbjfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidehpea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocihgnam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afockelf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpqjjjjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdapehop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnffhgon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocgbend.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofdhd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbaclegm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bipecnkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgihop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llqjbhdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgldbkn.dll"	Qppaclio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qiiflaoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampaho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjjlakk.dll"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhaiafem.dll"	Enhifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjfbb32.dll"	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iafkld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieccbbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbhiiol.dll"	Bjfogbjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbmhkia.dll"	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkcghg32.dll"	Eahobg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgihop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqfojblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipimhnjc.dll"	Qcnjijoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqfhf32.dll"	Cancekeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldicpljn.dll"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadghn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afappe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdebqbi.dll"	Dalofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jikoopij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocmhlca.dll"	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldjigql.dll"	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjhkmbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiqkhgo.dll"	Ihbponja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpogkhnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqfojblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkddhfnh.dll"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfqqddpi.dll"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	fe72ac48d38282bc6a1d9a2b947196722aa9e14267c34be12d69982351b83294.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glofjfnn.dll"	Bmbnnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanpie32.dll"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdqaqhbj.dll"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkbgjo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 3368	1340	fe72ac48d38282bc6a1d9a2b947196722aa9e14267c34be12d69982351b83294.exe	89
PID 1340 wrote to memory of 3368	1340	fe72ac48d38282bc6a1d9a2b947196722aa9e14267c34be12d69982351b83294.exe	89
PID 1340 wrote to memory of 3368	1340	fe72ac48d38282bc6a1d9a2b947196722aa9e14267c34be12d69982351b83294.exe	89
PID 3368 wrote to memory of 4384	3368	Ilfennic.exe	90
PID 3368 wrote to memory of 4384	3368	Ilfennic.exe	90
PID 3368 wrote to memory of 4384	3368	Ilfennic.exe	90
PID 4384 wrote to memory of 3228	4384	Iafkld32.exe	91
PID 4384 wrote to memory of 3228	4384	Iafkld32.exe	91
PID 4384 wrote to memory of 3228	4384	Iafkld32.exe	91
PID 3228 wrote to memory of 5080	3228	Ibegfglj.exe	92
PID 3228 wrote to memory of 5080	3228	Ibegfglj.exe	92
PID 3228 wrote to memory of 5080	3228	Ibegfglj.exe	92
PID 5080 wrote to memory of 3952	5080	Ieccbbkn.exe	93
PID 5080 wrote to memory of 3952	5080	Ieccbbkn.exe	93
PID 5080 wrote to memory of 3952	5080	Ieccbbkn.exe	93
PID 3952 wrote to memory of 3820	3952	Ihbponja.exe	94
PID 3952 wrote to memory of 3820	3952	Ihbponja.exe	94
PID 3952 wrote to memory of 3820	3952	Ihbponja.exe	94
PID 3820 wrote to memory of 4464	3820	Ipihpkkd.exe	95
PID 3820 wrote to memory of 4464	3820	Ipihpkkd.exe	95
PID 3820 wrote to memory of 4464	3820	Ipihpkkd.exe	95
PID 4464 wrote to memory of 2108	4464	Jbagbebm.exe	96
PID 4464 wrote to memory of 2108	4464	Jbagbebm.exe	96
PID 4464 wrote to memory of 2108	4464	Jbagbebm.exe	96
PID 2108 wrote to memory of 1152	2108	Jikoopij.exe	97
PID 2108 wrote to memory of 1152	2108	Jikoopij.exe	97
PID 2108 wrote to memory of 1152	2108	Jikoopij.exe	97
PID 1152 wrote to memory of 532	1152	Kplmliko.exe	99
PID 1152 wrote to memory of 532	1152	Kplmliko.exe	99
PID 1152 wrote to memory of 532	1152	Kplmliko.exe	99
PID 532 wrote to memory of 1136	532	Kocgbend.exe	100
PID 532 wrote to memory of 1136	532	Kocgbend.exe	100
PID 532 wrote to memory of 1136	532	Kocgbend.exe	100
PID 1136 wrote to memory of 5064	1136	Kofdhd32.exe	102
PID 1136 wrote to memory of 5064	1136	Kofdhd32.exe	102
PID 1136 wrote to memory of 5064	1136	Kofdhd32.exe	102
PID 5064 wrote to memory of 4740	5064	Lepleocn.exe	103
PID 5064 wrote to memory of 4740	5064	Lepleocn.exe	103
PID 5064 wrote to memory of 4740	5064	Lepleocn.exe	103
PID 4740 wrote to memory of 4680	4740	Ljpaqmgb.exe	105
PID 4740 wrote to memory of 4680	4740	Ljpaqmgb.exe	105
PID 4740 wrote to memory of 4680	4740	Ljpaqmgb.exe	105
PID 4680 wrote to memory of 2080	4680	Ljbnfleo.exe	106
PID 4680 wrote to memory of 2080	4680	Ljbnfleo.exe	106
PID 4680 wrote to memory of 2080	4680	Ljbnfleo.exe	106
PID 2080 wrote to memory of 1676	2080	Llqjbhdc.exe	107
PID 2080 wrote to memory of 1676	2080	Llqjbhdc.exe	107
PID 2080 wrote to memory of 1676	2080	Llqjbhdc.exe	107
PID 1676 wrote to memory of 2388	1676	Mofmobmo.exe	108
PID 1676 wrote to memory of 2388	1676	Mofmobmo.exe	108
PID 1676 wrote to memory of 2388	1676	Mofmobmo.exe	108
PID 2388 wrote to memory of 3780	2388	Mlljnf32.exe	109
PID 2388 wrote to memory of 3780	2388	Mlljnf32.exe	109
PID 2388 wrote to memory of 3780	2388	Mlljnf32.exe	109
PID 3780 wrote to memory of 1348	3780	Mokfja32.exe	110
PID 3780 wrote to memory of 1348	3780	Mokfja32.exe	110
PID 3780 wrote to memory of 1348	3780	Mokfja32.exe	110
PID 1348 wrote to memory of 4440	1348	Mjpjgj32.exe	111
PID 1348 wrote to memory of 4440	1348	Mjpjgj32.exe	111
PID 1348 wrote to memory of 4440	1348	Mjpjgj32.exe	111
PID 4440 wrote to memory of 4492	4440	Mlofcf32.exe	112
PID 4440 wrote to memory of 4492	4440	Mlofcf32.exe	112
PID 4440 wrote to memory of 4492	4440	Mlofcf32.exe	112
PID 4492 wrote to memory of 3720	4492	Nfqnbjfi.exe	113

C:\Users\Admin\AppData\Local\Temp\fe72ac48d38282bc6a1d9a2b947196722aa9e14267c34be12d69982351b83294.exe
"C:\Users\Admin\AppData\Local\Temp\fe72ac48d38282bc6a1d9a2b947196722aa9e14267c34be12d69982351b83294.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\SysWOW64\Ilfennic.exe
  C:\Windows\system32\Ilfennic.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\SysWOW64\Iafkld32.exe
    C:\Windows\system32\Iafkld32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\SysWOW64\Ibegfglj.exe
      C:\Windows\system32\Ibegfglj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3228
    - - C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
      - C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Llqjbhdc.exe
        
        C:\Windows\system32\Llqjbhdc.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        23⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        30⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        46⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\Afappe32.exe
        
        C:\Windows\system32\Afappe32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        52⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        54⤵
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        55⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Bboffejp.exe
        
        C:\Windows\system32\Bboffejp.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        67⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Bjhkmbho.exe
        
        C:\Windows\system32\Bjhkmbho.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        70⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        73⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        76⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        77⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        80⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        86⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        93⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        95⤵
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        102⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Dahfkimd.exe
        
        C:\Windows\system32\Dahfkimd.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        105⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        106⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        109⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        111⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2756
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        115⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        120⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5516
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        127⤵
        Drops file in System32 directory
        
        PID:6240
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        128⤵
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6344
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        130⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6468
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        132⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        133⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        134⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6700
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6792
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        138⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6888
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        141⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:7012
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:7100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 400
        145⤵
        Program crash
        
        PID:6176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:8
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7100 -ip 7100
1⤵
PID:7160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daeifj32.exe

Filesize
1.2MB

MD5
3dacbafaee57d45cf35493a651856a20

SHA1
108ec948220e798574b09c3181f9488f0d6460d9

SHA256
5fcc0060e8393d0815238697250d275a9114e97659bc81ea55fa0b8a58ee0cbf

SHA512
700f6c8f515dda957ebb5c2a35996dfd769b60357e17a10a089188b7d55189c8ecd6e0127fdb07bdf3ccecc63447c5014a13e872dc4af1ec6e291c332e66370a

Download Submit
C:\Windows\SysWOW64\Dajbaika.exe

Filesize
1.2MB

MD5
001f7ab9db688b122238d6d09dc354d4

SHA1
3ed2ed589f5b8e6e21acbfe4b992d77b10f11163

SHA256
a6749f6fa71b94c49eb6dd16399674635154c7843d9be706788ed2b81049581e

SHA512
9908f06651ea1ec2f8cbbe42e0873bf680d3596c80275b5c573946f3ee670b99c75ccdb78ff913e68fc938ea162d8ab45dc0e6e4da640ee95aff3ba9070cd213

Download Submit
C:\Windows\SysWOW64\Epffbd32.exe

Filesize
1.2MB

MD5
16e81cba78cf7b3d4ebc5e43949b5bf2

SHA1
64fa163f38c7d332f58e3f4d764ae351552da57f

SHA256
f9191f968b4d9037ee32d4c901c07e59fbdbbbad45f05154a6de54f8c4841462

SHA512
932424add8e6994699357def9e252970a0a9c8c6ed1188fb161fae15bc776131f68e3ee339ebe3da04033138484d1edae390db62141b98146c2cb8635a7d41d0

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
1.2MB

MD5
c88d52bd89549762dafd931fd3c6dd49

SHA1
0c1809817666e9944b712882ac8cb9697c15b809

SHA256
1d13d99c4468d9e143d5387dbd08c7bb817f687de3c84dc70313afd5a993865f

SHA512
2dfd46a8819585e39c61b603514d748fd1eff48e5d90395fccbbf3582c50b074e993499d52b0455fb8795ed9ef3e7228f4e101926000924367d26bad1fc42411

Download Submit
C:\Windows\SysWOW64\Fcpakn32.exe

Filesize
1.2MB

MD5
f03a1a4b957970ebece71d273ca61ae6

SHA1
cb7f24d0ca9993aff138b6b5cfa03a7be9d0bd15

SHA256
2330c9c573e328bd4ed790d379b2a4caae9ddb82dc3f5f2918d269b3655d5dd2

SHA512
365824a498f145173aeb70b21cc514ab42622b8a3eebbb1fc0f5a0ba6a62195adf61e60d6fbc66c71d3a5584afd11f1a36fd925b6dfc6b39ae02d71d1d5c680d

Download Submit
C:\Windows\SysWOW64\Iafkld32.exe

Filesize
1.2MB

MD5
a2ca7b353bbd1e0282cd65bc3cb5183f

SHA1
6c94e852163a906038f32ef001f3a048152e386a

SHA256
176128d38c73791dd612c9a336d8b75e5f01a71cca4d3ace4f23536be113db60

SHA512
57d6305156d13b74687aaa2fca9d8a986c9520dbb088492c1204265d962c64c876849d911196628d91a80275fd07fe02cdf5577fbbcff1bcefdc5e00a749ec46

Download Submit
C:\Windows\SysWOW64\Ibegfglj.exe

Filesize
1.2MB

MD5
281089ea95d9488b09b0a2c3da3c6ce1

SHA1
57ae57d091e5b67c9c8adc998bfbee1eed370140

SHA256
47c54ea4bfe9ea5e8335af04ac2f28fe9dbbb794ea06d2815a5231beeba44e90

SHA512
a835591d481abacacb689e6bea5d1b25b75adf2db3c5b562842ada6a4b337f0f10f411bbfb0a652df35b503e06d219d277f9174c456dab85cb69bf03378abe40

Download Submit
C:\Windows\SysWOW64\Ieccbbkn.exe

Filesize
1.2MB

MD5
4f3fe2e58551e6cc02871f67c7bc5e08

SHA1
157581fa0102458bd87ac503c4782dfaebebeeb9

SHA256
417612097078a58ef71e82f255b411e887e9e20092f6aa089cbbb828f2731176

SHA512
7b360d01c9980b592181dd61ad945550ec07ad9129cadccf4af18e9a7cc85b397b1da592e6adfaddf85312b8bfa0b7f969fda65a2f8e2c67245c40eb81d6509c

Download Submit
C:\Windows\SysWOW64\Ihbponja.exe

Filesize
1.2MB

MD5
e236c7088fc45ff5d3a8137db358f289

SHA1
34b9195a85b8aa00c4026012053348b4ef4f2169

SHA256
470e11b9b917d241d74d4831a3bc2b44794bb06f7794ecc2d61241baac1c7561

SHA512
d63f1169a6f77eb6eecef16dd585926aecf020b2216db7c9761620d8a757f51c96a94d7397c4bfd70c7e0781db04aa9d1c5c9213560953f8f05adca07f0e1167

Download Submit
C:\Windows\SysWOW64\Ilfennic.exe

Filesize
1.2MB

MD5
32601bb2e80c8be681532582e1e79dc7

SHA1
793d8db0302f395a35e3a0304f0ce53eff2646bf

SHA256
0c4e4f7eb875ed33bd481122e595ad27fb7189215c2c195bca3ef41a68d6d1ac

SHA512
bef78daa849543be01bf5edb4d426199b80f9536fe8b5b13cc0615c90c3471d844c938986e4ce7ef5ba9bbaf4466fb14155c312c7e92c39f10e50dc69577493e

Download Submit
C:\Windows\SysWOW64\Ipihpkkd.exe

Filesize
1.2MB

MD5
1133bb8969117a67d48fc3a1999a12d7

SHA1
33348535af11d3d0c761e7af64732b5f825c7ba3

SHA256
af1e4807dfc21cea409d6e1ed2398908a12bdf1811332892dca74fa8830f879d

SHA512
8bc043412396314e594fae341c6ec78db74cfd3a04ddd8907ed7d6a4647b77c6f38e6614d790293b3a2abd806c42ab51fa1a4248f114ceec9af1c25e9e2e8f2a

Download Submit
C:\Windows\SysWOW64\Jbagbebm.exe

Filesize
1.2MB

MD5
1a9f5ac8774d038ce4a4b74f08bfbd14

SHA1
4bd1a4583efd69674bec2712543390df5e1ef3ee

SHA256
b361a51e800980ec43c447adbae2e70be9620bb4509ce735b5713b666c1681b4

SHA512
7d41cdbbb66238be309bceb25729a00d2c36879c1b6727d23676f18f8ed984ebcf34adf264564c165f2cc20657e2bc3283981fd3e8c1d14109bda58c0d04c7d3

Download Submit
C:\Windows\SysWOW64\Jikoopij.exe

Filesize
1.2MB

MD5
9b176daed7e5c4e7e94a3a9688edfc23

SHA1
c28ea7a4fe567f2c37df178aebbbce4df118311e

SHA256
e82cd8507804c96dba2aa6446e40331a441869c23834945adc802ca4f40ff356

SHA512
75d766442c0edc8825ccddb5de47fc634b83104f8bd5f67f768178600af24e2044725ac31a9269cd3a8eec7f1dbaa9c3476bd9867effeab88742e6cce1242a3b

Download Submit
C:\Windows\SysWOW64\Kocgbend.exe

Filesize
1.2MB

MD5
24ef105362368ad4f0fc5b977712994d

SHA1
011ff94588444f1d481566f1fe16fe1ed315e7f8

SHA256
4266705b3f544852000a29bd82e615d8f6344ad9d2069acb8f8d0b0ea8244189

SHA512
c532c4f6d7854c7201a0067f63e63b497ef89e26c0a1dc362757ef1262f4cd01f9f4f9ce3393e613bc1b027245f59bae9c8996caaa5851c539d93b7f45a1b9df

Download Submit
C:\Windows\SysWOW64\Kofdhd32.exe

Filesize
1.2MB

MD5
388a0522af9cd00ef9c8488b53605660

SHA1
cca46cc1c4809eee47c931ed694c5be1574f19e9

SHA256
394a2310e8707b4a213b1722ebe9ad67d58612c7c1f4636ad16baf0417ef99d9

SHA512
2b85e402fbf61a7caf62bc2d82c467e1b42ec93cefd456dc15dc4d16a5bff6b48a9f146b4fcf025e7495f3a801676af479da6e67325c28c7008aa8ed055df6b3

Download Submit
C:\Windows\SysWOW64\Kplmliko.exe

Filesize
1.2MB

MD5
c808da1304d09a29d7ba928b3e93ce6e

SHA1
8f024e4a104d14a511d89bf4ad402f11055a432b

SHA256
48a7c3470138de783146a07ea8b625174a98c3cd5f82610ed70e5a49a2cd3e12

SHA512
93f0de9a88ee8c1ebe59474596451b383a2a00161a6f46b60eafc23aa4ab156bdfae275c8fb478398db8c468186814329a9a685db4d091da348cc89198f45dcc

Download Submit
C:\Windows\SysWOW64\Lepleocn.exe

Filesize
1.2MB

MD5
50637af98f393d7f43c16d0a1004495a

SHA1
8564fca713ae0cd3c8107dd7db3c5e2ff5a8785d

SHA256
51aefe8f81ab0a1899cb1c135d54996dbb13f5be502f35345fe5b43a21bdf948

SHA512
f015c859cb9236dfc1cf1d2a89137439c340e18324744dbbe5ff92b4d155318228be193111c20ef620459d580d6a74aaff24787872ac6ccbf6e4c6f196452678

Download Submit
C:\Windows\SysWOW64\Ljbnfleo.exe

Filesize
1.2MB

MD5
c726e3d37c74c24e349b2351258a9628

SHA1
d7c4ed777050fc34aaa7ab96706f329615dcc18d

SHA256
4f7ba3faa463609686bceb30c525f5d70c98cb85fccd050c67ff829055992c8d

SHA512
6bfd2e0090be2992cae78deb07acc27e38a389f4293de8090e9a624448936084c824931bc4b95f607a9c8c6f34e749ae956389409c4d7ed1d8b9ba21b5db98de

Download Submit
C:\Windows\SysWOW64\Ljpaqmgb.exe

Filesize
1.2MB

MD5
9a7d181c00f8347f559512959db0a9a2

SHA1
cabe52713c11dafa91aa956a4ddc53190afa63d6

SHA256
eec2e10c08ff6c475c83ee8bc15ac578646414243b03919f1ab40afd23865dad

SHA512
50eb38f5bde1ac5347795ad21b09b003f6db5523dd50f7746ee168790b136f98aaa58458acf1212480fd5471b85af0325f62e302ad3883dedbb3e80f129ef6b0

Download Submit
C:\Windows\SysWOW64\Llqjbhdc.exe

Filesize
1.2MB

MD5
548f1ddf8de317348d41871365803a93

SHA1
897c03a5967bdf36a12286fc95209b5ca2bf8fb6

SHA256
fc2b316c392179cc875f6e8bb1ec82ca0806402788aa11a70954df75a037e91d

SHA512
76af0b1cdd5f7b838e490cc3ada52f0ac0b81ba415f7db1d6306b8bc2878000cf5363f9c5dd76be15bba9b2ef257c20649736f96038b84b29488a2c11ef3d41e

Download Submit
C:\Windows\SysWOW64\Mjpjgj32.exe

Filesize
1.2MB

MD5
476b77921e870f106db6c8a0d3051a92

SHA1
8f35570ce78a7f3b4e4fc0834a57090e2f1fd701

SHA256
159a39c8af3266de4d98520df52cf23ed0cb98558da16d44b41f9187b494cc5d

SHA512
a4eb07aa26ae6b0d334cc1804dcb883f74ca89138903ca9b16e1a4f137fa13e8e78b739c912306e0b0f8ecdb0f2c29b80f3fd914209ff9a4a2c96ee19ebf43e4

Download Submit
C:\Windows\SysWOW64\Mlljnf32.exe

Filesize
1.2MB

MD5
e4abedc97bef7ba304709a20886d0168

SHA1
203b73765cb5855c36b95baabb2672530054607d

SHA256
8ad2b104fd89a5400075c927f92aada6d1d74a536955bef53d907db56260172d

SHA512
2d9f5534b34ddcfcf834816fa002df5e37af780dbb6655b7829a5008daebf4f8b1098954e001616c02897e83a50fb6945a17bd8230b87efe1920632f96bc54a1

Download Submit
C:\Windows\SysWOW64\Mlofcf32.exe

Filesize
1.2MB

MD5
7da8d83b5d652439aa2f54c873e6ccbf

SHA1
4844ba5da8ca9c0d18f34fc819bef5f2f4b668c7

SHA256
a729bd33437898e05eda908f7a9e1be38c1a298fee09ac9c0f203bd885440936

SHA512
26965699f3345b91c9d83745fb828c828ac33f80f08def6205e360c5d97112d91aafd6a929188e99b52a9b058a167ef8490a67b48396f34957aa2ea9734c11ba

Download Submit
C:\Windows\SysWOW64\Mofmobmo.exe

Filesize
1.2MB

MD5
93ae86dab9be2a44a2a0402adddfbb5e

SHA1
70be8f0729e8c5d48726f7ff152fbbd735601adf

SHA256
70a22410d938a7043f56acd4543546325cabdcdd219de7e1ed7d9f56f543573d

SHA512
d916508ac7ed46bfd6de467ccc226506e2b44d1ae10da473c8412e861e69da3289fa363d1a935578d47460b06b0a0ea48df1fa2e814a2acddb3dacead7025246

Download Submit
C:\Windows\SysWOW64\Mokfja32.exe

Filesize
1.2MB

MD5
c122193cca129978bc16074735292496

SHA1
f186f86e070d008c418d15a0c70d067f0ad84352

SHA256
297fcf84682006907c09b4c38c0c07dca949fb768010aac59da3de35f40b3b45

SHA512
510845dcf5bb937e42e74d081c6392a1869c38571aa46cc41877cc3d8e8ffda1cbfba6cd06e2c2eb36d4622603a2a094ed627399e1d00441791ae785737aea1b

Download Submit
C:\Windows\SysWOW64\Nfqnbjfi.exe

Filesize
1.2MB

MD5
fcae22fa9689242f29ba3e0db7a04bac

SHA1
098c6e74782fb5eecc7f3eb58bb9d58a4a98f075

SHA256
99c9a0d27995b9928a6efaea1bb8f6f87e8a61ddcd002c43ef784f01131e78cf

SHA512
e715888aba8a899e37d5f4e761aaf15510c946ea1f25a4a2a3c9520b82a37ec95660f8c702e8d77c4103527216d717da3d01343365c66e4cb897d2074530152f

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
1.2MB

MD5
35188431d8a522e41584da1516aec087

SHA1
982433337b18f7c7c46b6a554accab6e2d8a7a8c

SHA256
8dbe95dfbab11e5093576fc916efef1627bb8937f16ad1334020864d62d42df2

SHA512
2f54fc8901480a32219f418cae26f4dabb95d8790b5018fff56a2ecdf58bb081b83b946728286462ebe628144dd9f5b009d147ac4ce6e80e64b5369403a3fb54

Download Submit
C:\Windows\SysWOW64\Oiccje32.exe

Filesize
1.2MB

MD5
b2dcb58d49ef5ea6f16314b89f80759f

SHA1
f15513a817317f69d0a0eb9b99dfd5e901670b43

SHA256
5fb37d9ec04fcc46a6b39bd87f73a70f1bb3902fc6660d2fe08ef32931dd6cd6

SHA512
975edc894bc984226602401dceb45d8e51ea7fb3e53ecf3700b750b2a74ca95a56b9bb7fdf7aa81ebe67d1ae532915b0589512844c1503d528be332e8f9c2fb4

Download Submit
C:\Windows\SysWOW64\Ookoaokf.exe

Filesize
1.2MB

MD5
460a6bc0cf6f90f7208d3292e633022c

SHA1
92d40a7b0050f6825c6c9db2507a9697a84eeeae

SHA256
a7e131bae6f22883f29ce95fe8a6e8764bd4d5938eb099b98af5d94aa6c308ad

SHA512
a5e5ec39cc240c6e70d8e7e902d45f425582f1ee8151e6d0a33b687819d316bb00a4f012e2bec3c6e717396c10ea18023e58f62a387d13ee469fde148ad6547b

Download Submit
C:\Windows\SysWOW64\Oqklkbbi.exe

Filesize
1.2MB

MD5
b07d5b60461c08383e1726ca72403f9b

SHA1
4fd55ceaf455bbb84b6ad162cbc5956aeefbf4cf

SHA256
a8276db6f56181801f4d1643da772b6b77cadc2071358d2b939ea23613db64a6

SHA512
6a99448799c556623d5392482f664a76875431acb733c1e448ed6da15068961c407c7e81d61bcc5f6666c053deedadcf76af47d8c1c796b49211aa16a4b22d4b

Download Submit
C:\Windows\SysWOW64\Pbjddh32.exe

Filesize
1.2MB

MD5
f8e9c60f61af9085ca2e1a0084bd2bfc

SHA1
aa34b9b21be5f80f941731d6aadee5a5154141e9

SHA256
099a8386d67c5e9a78b744a145120ce6e6c39174b4c6e65f55c8d059f87d8fff

SHA512
ff41e6ecea93ad400d57fb29acf65e3057243c566b19e9462bb5281c639067edc96b492ec62ced2db111d9b1931dbfa2610b34713ff3a85008bf941148e54ff9

Download Submit
C:\Windows\SysWOW64\Pciqnk32.exe

Filesize
1.2MB

MD5
b2255bb3543f98d283d5b4c0f8722f01

SHA1
07745a91ccebc206625b50ad52a31ad139b4132d

SHA256
1929518ccc38496f5616a7f0420bb0bc41bcc283d1afb80b8635b7926ba1f4e0

SHA512
f28e194bc28d4eb9e357fda1712d89faa5d4d7205239f6c25c0e031e63f38978ee13ae670603b72528d866e233a0aa7ba5329a1931e9972eb667f006e4db8093

Download Submit
C:\Windows\SysWOW64\Pfccogfc.exe

Filesize
1.2MB

MD5
b5fa267be2b2a2227b064825d7fd1ead

SHA1
c5d6f371115ffe5177cb8085df5ab11991d7ad33

SHA256
1ae3e1a159b5f9ae1ad61ef6d46c5e025455c1718292a1835194ddb2dcaf3a62

SHA512
05ee13e5bf4234a48cfefa62fd4012be9762dccd8bd4bfe6a7757fa649ba62da432691a6f082b927c7bca87af7e9da773b81f604ea66d6826890771af3f4c387

Download Submit
C:\Windows\SysWOW64\Pimfpc32.exe

Filesize
1.2MB

MD5
945a48dcc8ad9e452dbcbec8c6196212

SHA1
aaaf9b8f60921ccaef6ccebac206cd138abb8de5

SHA256
6de50a635753dddef72e64da9c6011be4522285cd832a47d34c5c5b3285da6b8

SHA512
2ff2dc06073566f9754fd60cf45c0b0b17ad6e5516a9ff2fba083c83fba64b69a52b65c66001881b96327bd714faf4f49935b0599a54e231d41442dff8a991c5

Download Submit
C:\Windows\SysWOW64\Pjaleemj.exe

Filesize
1.2MB

MD5
770afb12261963d8645ba9ce42bf4ff8

SHA1
ae7a939568231dacbc60e0383ad6a366085bd5c7

SHA256
6d2758bd16604cbfe76e49c86ecdfdc7a3613974c5e92c7da11eb749dd1552d1

SHA512
3535c36fe3f8c989150554499533a3fd58cfc26903bfeccc3a2b9dae95aba63af49a9c0b98d9ece4875b87258604333ef2939f38e5084cb9eed9e50986bef9a5

Download Submit
C:\Windows\SysWOW64\Pmphaaln.exe

Filesize
1.2MB

MD5
2de91aa8cbd267c719fa1b6e24944ec9

SHA1
f6bcf665015bc6237b20b068132cabf6504603e8

SHA256
f32733b0dbe4f9e7b6ec1583bbc51837db5bb6bb35cb2d7302a25fbe6b193427

SHA512
ef0bcd56a63588f034a064f09cba151dd957c2da9b7fe20005f7a8a680758fee9bdc4c23910142a56ff579eafd6b231f3d73bdb454ce7ae907c7ce4ef6e8e9f4

Download Submit
C:\Windows\SysWOW64\Pplhhm32.exe

Filesize
1.2MB

MD5
90a07e9a21f19bc07ddf7e5f7e3d8c43

SHA1
9e0ae7e9af4a831527b1891b7302a65793e8798d

SHA256
119f535183aa03a45316f02c2388143fe1053ae363eebea0c71bd5b00183978e

SHA512
bb2623897072fbd10c6520d11f80fb67e140c47046ca995ef4f46a5e0aa6fa325d492ac7e960d80fc1ba80594e593103ae93c1263158333114a2e8eb0c67c958

Download Submit
memory/532-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/640-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/756-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1136-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1152-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1208-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1316-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1340-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1340-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1340-544-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1464-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1592-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1620-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1656-209-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1676-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1812-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1880-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1896-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-121-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2108-69-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2236-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2372-246-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2388-141-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2440-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2476-558-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2924-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3052-238-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3180-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3228-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3228-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3368-557-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3368-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3376-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3404-254-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3604-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3608-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3620-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3632-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3720-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3724-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3780-150-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3820-591-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3820-49-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3884-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3920-315-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3952-45-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4020-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4384-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4384-564-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4400-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4440-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4460-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4464-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4464-598-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4492-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4580-566-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4680-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4740-105-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4884-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5008-228-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5016-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5064-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5080-578-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5080-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5100-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5144-572-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5160-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5200-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5224-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5240-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5280-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5288-585-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5320-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5356-592-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5360-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5400-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5432-599-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5440-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5480-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5520-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5560-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5600-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5640-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5680-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5720-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5760-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5800-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5840-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5880-508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5920-514-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5960-520-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6000-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6040-532-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6080-538-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6120-545-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads