08c87dd1925a21b69c7aab6655e20e3aa1bb9991d281f577a267f8d696270937

Analysis

max time kernel
114s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 21:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa1e897936ddef0abad517f5baba4ea0N.exe
Size

110KB
MD5

aa1e897936ddef0abad517f5baba4ea0
SHA1

070218c1244f3b58db392fc7f61f223346425f48
SHA256

08c87dd1925a21b69c7aab6655e20e3aa1bb9991d281f577a267f8d696270937
SHA512

ed5ee8f8a698f8aa3361d0a4e58f438749ef5e52a16e4f5c5cb1adc0ea49581fcbd6ae6ad30f88aef7a648f268d1c62ab150884ade3d70d1f88c9dbb42ea1e13
SSDEEP

3072:wmTXzJiBalxJ+ZIejZJBBaMMqEZTLJiXSk6IXP:jTWa/47ZJ4qpSk6k

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpnjah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qppaclio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmodajm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhbqbae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibgdlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	aa1e897936ddef0abad517f5baba4ea0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcclncbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadghn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdpad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphqji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daeifj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	aa1e897936ddef0abad517f5baba4ea0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kidben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljpaqmgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojcpdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibegfglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhnojl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofegni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmkofa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipgkjlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kapfiqoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibegfglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhkbdmbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bigbmpco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jadgnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhhdnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcdeeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilphdlqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpqggh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapgdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Binhnomg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilphdlqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apeknk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjoppf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bphqji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laiipofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjhbfd32.exe

Executes dropped EXE 64 IoCs

pid	Process
1068	Ipgkjlmg.exe
2084	Ibegfglj.exe
2856	Iiopca32.exe
3412	Ilnlom32.exe
4376	Ibgdlg32.exe
4400	Ilphdlqh.exe
1120	Iondqhpl.exe
1752	Jlbejloe.exe
4252	Jaonbc32.exe
4176	Jhifomdj.exe
3024	Jocnlg32.exe
3712	Jhkbdmbg.exe
4092	Jadgnb32.exe
2796	Jhnojl32.exe
1172	Jafdcbge.exe
316	Jpgdai32.exe
1192	Kedlip32.exe
1676	Klndfj32.exe
2388	Kefiopki.exe
3876	Kheekkjl.exe
2528	Kidben32.exe
940	Kpnjah32.exe
4500	Kapfiqoj.exe
1112	Kpqggh32.exe
2960	Kabcopmg.exe
3044	Khlklj32.exe
3952	Kofdhd32.exe
1928	Lepleocn.exe
3608	Lcclncbh.exe
4528	Lhqefjpo.exe
3972	Laiipofp.exe
1852	Ljpaqmgb.exe
980	Legben32.exe
4288	Lplfcf32.exe
2440	Lancko32.exe
1944	Llcghg32.exe
404	Lpochfji.exe
720	Lcmodajm.exe
1340	Mhjhmhhd.exe
2184	Mpapnfhg.exe
2564	Mablfnne.exe
3820	Mlhqcgnk.exe
4728	Mbdiknlb.exe
1728	Mcdeeq32.exe
5100	Mhanngbl.exe
752	Mcfbkpab.exe
3180	Mhckcgpj.exe
3884	Nciopppp.exe
3780	Njbgmjgl.exe
4520	Noppeaed.exe
4372	Nhhdnf32.exe
1892	Noblkqca.exe
4668	Nfldgk32.exe
4272	Nodiqp32.exe
2976	Nbbeml32.exe
3008	Nimmifgo.exe
1372	Ncbafoge.exe
2996	Nqfbpb32.exe
3436	Obgohklm.exe
2724	Oiagde32.exe
1316	Oqhoeb32.exe
4880	Ofegni32.exe
2372	Oiccje32.exe
4848	Ocihgnam.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ckdkhq32.exe	Cgiohbfi.exe
File opened for modification	C:\Windows\SysWOW64\Ccppmc32.exe	Cpacqg32.exe
File created	C:\Windows\SysWOW64\Khnhommq.dll	Jpgdai32.exe
File created	C:\Windows\SysWOW64\Kpnjah32.exe	Kidben32.exe
File created	C:\Windows\SysWOW64\Nphnbpql.dll	Kpqggh32.exe
File opened for modification	C:\Windows\SysWOW64\Lplfcf32.exe	Legben32.exe
File created	C:\Windows\SysWOW64\Ohlemeao.dll	Jocnlg32.exe
File opened for modification	C:\Windows\SysWOW64\Mablfnne.exe	Mpapnfhg.exe
File created	C:\Windows\SysWOW64\Nbbeml32.exe	Nodiqp32.exe
File created	C:\Windows\SysWOW64\Bpjmph32.exe	Bipecnkd.exe
File created	C:\Windows\SysWOW64\Dbcdbi32.dll	Bapgdm32.exe
File opened for modification	C:\Windows\SysWOW64\Bjhkmbho.exe	Bdocph32.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Ddcebe32.exe
File created	C:\Windows\SysWOW64\Kefiopki.exe	Klndfj32.exe
File opened for modification	C:\Windows\SysWOW64\Njbgmjgl.exe	Nciopppp.exe
File opened for modification	C:\Windows\SysWOW64\Pmkofa32.exe	Pcbkml32.exe
File created	C:\Windows\SysWOW64\Qgdcdg32.dll	Aalmimfd.exe
File opened for modification	C:\Windows\SysWOW64\Ciihjmcj.exe	Ccppmc32.exe
File opened for modification	C:\Windows\SysWOW64\Mbdiknlb.exe	Mlhqcgnk.exe
File created	C:\Windows\SysWOW64\Pqolaipg.dll	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Cibain32.exe	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Jlojif32.dll	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Pmhbqbae.exe	Pcpnhl32.exe
File created	C:\Windows\SysWOW64\Aadghn32.exe	Afockelf.exe
File opened for modification	C:\Windows\SysWOW64\Ajohfcpj.exe	Aiplmq32.exe
File opened for modification	C:\Windows\SysWOW64\Cgiohbfi.exe	Cpogkhnl.exe
File opened for modification	C:\Windows\SysWOW64\Bboffejp.exe	Bpqjjjjl.exe
File opened for modification	C:\Windows\SysWOW64\Kapfiqoj.exe	Kpnjah32.exe
File opened for modification	C:\Windows\SysWOW64\Nodiqp32.exe	Nfldgk32.exe
File created	C:\Windows\SysWOW64\Lfgnho32.dll	Ppnenlka.exe
File created	C:\Windows\SysWOW64\Qppaclio.exe	Pfhmjf32.exe
File created	C:\Windows\SysWOW64\Amhmnagf.dll	Jhnojl32.exe
File created	C:\Windows\SysWOW64\Faoiogei.dll	Mablfnne.exe
File created	C:\Windows\SysWOW64\Alapqh32.dll	Nciopppp.exe
File created	C:\Windows\SysWOW64\Noppeaed.exe	Njbgmjgl.exe
File opened for modification	C:\Windows\SysWOW64\Ibegfglj.exe	Ipgkjlmg.exe
File created	C:\Windows\SysWOW64\Ilphdlqh.exe	Ibgdlg32.exe
File created	C:\Windows\SysWOW64\Lhkdqh32.dll	Jlbejloe.exe
File created	C:\Windows\SysWOW64\Jhifomdj.exe	Jaonbc32.exe
File created	C:\Windows\SysWOW64\Ghnllm32.dll	Nhhdnf32.exe
File created	C:\Windows\SysWOW64\Bjfogbjb.exe	Bboffejp.exe
File created	C:\Windows\SysWOW64\Leldmdbk.dll	Bjhkmbho.exe
File created	C:\Windows\SysWOW64\Ipecicga.dll	Bbdpad32.exe
File opened for modification	C:\Windows\SysWOW64\Caqpkjcl.exe	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Dahkpm32.dll	Iondqhpl.exe
File created	C:\Windows\SysWOW64\Mhckcgpj.exe	Mcfbkpab.exe
File created	C:\Windows\SysWOW64\Nqobhgmh.dll	Mhckcgpj.exe
File created	C:\Windows\SysWOW64\Oiccje32.exe	Ofegni32.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Ddcebe32.exe
File opened for modification	C:\Windows\SysWOW64\Nhhdnf32.exe	Noppeaed.exe
File created	C:\Windows\SysWOW64\Gpkehj32.dll	Ajohfcpj.exe
File opened for modification	C:\Windows\SysWOW64\Dkkaiphj.exe	Ccdihbgg.exe
File opened for modification	C:\Windows\SysWOW64\Jlbejloe.exe	Iondqhpl.exe
File opened for modification	C:\Windows\SysWOW64\Kefiopki.exe	Klndfj32.exe
File opened for modification	C:\Windows\SysWOW64\Lepleocn.exe	Kofdhd32.exe
File created	C:\Windows\SysWOW64\Cgogbi32.dll	Lplfcf32.exe
File opened for modification	C:\Windows\SysWOW64\Nciopppp.exe	Mhckcgpj.exe
File created	C:\Windows\SysWOW64\Obgohklm.exe	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Pbjddh32.exe	Pjoppf32.exe
File created	C:\Windows\SysWOW64\Bipecnkd.exe	Bfaigclq.exe
File created	C:\Windows\SysWOW64\Biepfnpi.dll	Ilnlom32.exe
File opened for modification	C:\Windows\SysWOW64\Lcclncbh.exe	Lepleocn.exe
File opened for modification	C:\Windows\SysWOW64\Mhanngbl.exe	Mcdeeq32.exe
File created	C:\Windows\SysWOW64\Nciopppp.exe	Mhckcgpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6716	6620	WerFault.exe	221

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilphdlqh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcghg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mablfnne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njbgmjgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilnlom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhbqbae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbjddh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhfaddk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidben32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kapfiqoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocihgnam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jocnlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpnjah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhqefjpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnenlka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjmph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhhdnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajohfcpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipgkjlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbkml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhnojl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oikjkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiplmq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjffpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigbmpco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfaigclq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdemb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nimmifgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapgdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cigkdmel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daeifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iiopca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lancko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opbean32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipecnkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgiohbfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlbejloe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgdai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpedeiff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfbbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepleocn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obgohklm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojcpdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpqjjjjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljpaqmgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Legben32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noblkqca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpnhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhmjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aalmimfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckidcpjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iondqhpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jafdcbge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedlip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccdihbgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diqnjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhifomdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niojoeel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiagde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiccje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpogkhnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcebe32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlbejloe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khlklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjffpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkddhfnh.dll"	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkdqh32.dll"	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iankhggi.dll"	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Niojoeel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjhbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cienon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnllm32.dll"	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmenm32.dll"	Ibegfglj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iiopca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibla32.dll"	Jaonbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kheekkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcdeeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpogkhnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiplni32.dll"	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmcadl.dll"	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdqaqhbj.dll"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpogkhnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klndfknp.dll"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgfnm32.dll"	Jhkbdmbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpgdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbegn32.dll"	Lancko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lancko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflknog.dll"	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ildolk32.dll"	Nfldgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahkpm32.dll"	Iondqhpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lancko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mablfnne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlhqcgnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcdeeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dblamanm.dll"	Pmkofa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llcghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllhjc32.dll"	Opbean32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapgdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilnlom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldaec32.dll"	Afockelf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpenhh32.dll"	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Omalpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaonbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhqefjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnpn32.dll"	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll"	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcclncbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcdbi32.dll"	Bapgdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iondqhpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egopbhnc.dll"	Ljpaqmgb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 1068	2576	aa1e897936ddef0abad517f5baba4ea0N.exe	89
PID 2576 wrote to memory of 1068	2576	aa1e897936ddef0abad517f5baba4ea0N.exe	89
PID 2576 wrote to memory of 1068	2576	aa1e897936ddef0abad517f5baba4ea0N.exe	89
PID 1068 wrote to memory of 2084	1068	Ipgkjlmg.exe	90
PID 1068 wrote to memory of 2084	1068	Ipgkjlmg.exe	90
PID 1068 wrote to memory of 2084	1068	Ipgkjlmg.exe	90
PID 2084 wrote to memory of 2856	2084	Ibegfglj.exe	91
PID 2084 wrote to memory of 2856	2084	Ibegfglj.exe	91
PID 2084 wrote to memory of 2856	2084	Ibegfglj.exe	91
PID 2856 wrote to memory of 3412	2856	Iiopca32.exe	92
PID 2856 wrote to memory of 3412	2856	Iiopca32.exe	92
PID 2856 wrote to memory of 3412	2856	Iiopca32.exe	92
PID 3412 wrote to memory of 4376	3412	Ilnlom32.exe	93
PID 3412 wrote to memory of 4376	3412	Ilnlom32.exe	93
PID 3412 wrote to memory of 4376	3412	Ilnlom32.exe	93
PID 4376 wrote to memory of 4400	4376	Ibgdlg32.exe	94
PID 4376 wrote to memory of 4400	4376	Ibgdlg32.exe	94
PID 4376 wrote to memory of 4400	4376	Ibgdlg32.exe	94
PID 4400 wrote to memory of 1120	4400	Ilphdlqh.exe	95
PID 4400 wrote to memory of 1120	4400	Ilphdlqh.exe	95
PID 4400 wrote to memory of 1120	4400	Ilphdlqh.exe	95
PID 1120 wrote to memory of 1752	1120	Iondqhpl.exe	96
PID 1120 wrote to memory of 1752	1120	Iondqhpl.exe	96
PID 1120 wrote to memory of 1752	1120	Iondqhpl.exe	96
PID 1752 wrote to memory of 4252	1752	Jlbejloe.exe	97
PID 1752 wrote to memory of 4252	1752	Jlbejloe.exe	97
PID 1752 wrote to memory of 4252	1752	Jlbejloe.exe	97
PID 4252 wrote to memory of 4176	4252	Jaonbc32.exe	98
PID 4252 wrote to memory of 4176	4252	Jaonbc32.exe	98
PID 4252 wrote to memory of 4176	4252	Jaonbc32.exe	98
PID 4176 wrote to memory of 3024	4176	Jhifomdj.exe	99
PID 4176 wrote to memory of 3024	4176	Jhifomdj.exe	99
PID 4176 wrote to memory of 3024	4176	Jhifomdj.exe	99
PID 3024 wrote to memory of 3712	3024	Jocnlg32.exe	100
PID 3024 wrote to memory of 3712	3024	Jocnlg32.exe	100
PID 3024 wrote to memory of 3712	3024	Jocnlg32.exe	100
PID 3712 wrote to memory of 4092	3712	Jhkbdmbg.exe	101
PID 3712 wrote to memory of 4092	3712	Jhkbdmbg.exe	101
PID 3712 wrote to memory of 4092	3712	Jhkbdmbg.exe	101
PID 4092 wrote to memory of 2796	4092	Jadgnb32.exe	102
PID 4092 wrote to memory of 2796	4092	Jadgnb32.exe	102
PID 4092 wrote to memory of 2796	4092	Jadgnb32.exe	102
PID 2796 wrote to memory of 1172	2796	Jhnojl32.exe	104
PID 2796 wrote to memory of 1172	2796	Jhnojl32.exe	104
PID 2796 wrote to memory of 1172	2796	Jhnojl32.exe	104
PID 1172 wrote to memory of 316	1172	Jafdcbge.exe	105
PID 1172 wrote to memory of 316	1172	Jafdcbge.exe	105
PID 1172 wrote to memory of 316	1172	Jafdcbge.exe	105
PID 316 wrote to memory of 1192	316	Jpgdai32.exe	106
PID 316 wrote to memory of 1192	316	Jpgdai32.exe	106
PID 316 wrote to memory of 1192	316	Jpgdai32.exe	106
PID 1192 wrote to memory of 1676	1192	Kedlip32.exe	107
PID 1192 wrote to memory of 1676	1192	Kedlip32.exe	107
PID 1192 wrote to memory of 1676	1192	Kedlip32.exe	107
PID 1676 wrote to memory of 2388	1676	Klndfj32.exe	108
PID 1676 wrote to memory of 2388	1676	Klndfj32.exe	108
PID 1676 wrote to memory of 2388	1676	Klndfj32.exe	108
PID 2388 wrote to memory of 3876	2388	Kefiopki.exe	109
PID 2388 wrote to memory of 3876	2388	Kefiopki.exe	109
PID 2388 wrote to memory of 3876	2388	Kefiopki.exe	109
PID 3876 wrote to memory of 2528	3876	Kheekkjl.exe	111
PID 3876 wrote to memory of 2528	3876	Kheekkjl.exe	111
PID 3876 wrote to memory of 2528	3876	Kheekkjl.exe	111
PID 2528 wrote to memory of 940	2528	Kidben32.exe	112

C:\Users\Admin\AppData\Local\Temp\aa1e897936ddef0abad517f5baba4ea0N.exe
"C:\Users\Admin\AppData\Local\Temp\aa1e897936ddef0abad517f5baba4ea0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\SysWOW64\Ipgkjlmg.exe
  C:\Windows\system32\Ipgkjlmg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\Ibegfglj.exe
    C:\Windows\system32\Ibegfglj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\SysWOW64\Iiopca32.exe
      C:\Windows\system32\Iiopca32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
      - C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Kheekkjl.exe
        
        C:\Windows\system32\Kheekkjl.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        26⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        38⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:752
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3884
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        59⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        63⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        68⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        70⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5332
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        89⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Bboffejp.exe
        
        C:\Windows\system32\Bboffejp.exe
        94⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        95⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Bjhkmbho.exe
        
        C:\Windows\system32\Bjhkmbho.exe
        98⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        110⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        117⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        118⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        119⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6356
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6400
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6488
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6532
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:6620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6620 -s 412
        127⤵
        Program crash
        
        PID:6716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:8
1⤵
PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6620 -ip 6620
1⤵
PID:6688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aalmimfd.exe

Filesize
110KB

MD5
6d07f4d9c0149f0883879a1c04599055

SHA1
30db73681d09c1ef39e333b4d3f6a928c34066c7

SHA256
41943352265ef00007ce381a61f118c9850cf730d4d6a49af6074b741ee92a63

SHA512
952e06eaf81ed0a44227b633d357446f40633ad4929147f3d7563ce472ec3733693f40a39400403ed576be690e89986739b3d8020b978b7f6d1c7fa63befc9c4

Download Submit
C:\Windows\SysWOW64\Biepfnpi.dll

Filesize
7KB

MD5
ae4610cd6bc1dd401332f05f1484d9e7

SHA1
69538c970d59398e524a06ba9f0d25d68deae1b0

SHA256
11e05318c4fff1fc0539b15741e98ffb70ea6e3a29f5d2b087187ff2bbbd2d90

SHA512
4866462c3d19a67e9b295fd4ca40bbf4c419186f745a06d5622a6a88963f0ac8b20d52fbe72cb29829698484c36c524c3da10feed9e77721e3e1baed9268a5bc

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
110KB

MD5
6ce6b7bc7ca463a57456ff25e538eccc

SHA1
c60d66e83479adb73292c570b22d845ed655c7a1

SHA256
9e2689705b439aa3b96ff0097259c3d1dd267ef51bf085e62341e6b2f05ee19e

SHA512
7e04db9b06facc7a488d6d47a02c3822593e59cd8c0088f5034607b80c85cbe17c84d1730270b9aace60e9189d69ea9483bc5b43588960cdea20a9732f47541c

Download Submit
C:\Windows\SysWOW64\Ibegfglj.exe

Filesize
110KB

MD5
64b7126e9c0c060f40be6b58c411b6d9

SHA1
5bf3b8997903fec1e666f6395e886ead71c0e3dc

SHA256
1e5f04c9535ff257adfee1788c67b18d61fc621a52cd865e061544a10d5a5da6

SHA512
252cde100f9cd104cddfe065e2d2595961d1b0a538d687832addae59a184e46691296919e5c979352e4e3c41bc3da7b18cba7aec530cb6efc245084432816c3d

Download Submit
C:\Windows\SysWOW64\Ibgdlg32.exe

Filesize
110KB

MD5
7c37fda49ab90cd9243664019a027295

SHA1
3c2ae1280407f34fc0767e843bf12c299504126a

SHA256
b66567f42e5864403bb450d9c5e0d307d4fa3a83dcdcfb10a91ee1d9cd2bbf91

SHA512
f8894bb6902a732d0330e8a37a79848dabe121def91f3012518163892a9b991238d5cb350459f5dcf8eab127844194bcad033a6525953d7fa3ab5a73ae4ed759

Download Submit
C:\Windows\SysWOW64\Iiopca32.exe

Filesize
110KB

MD5
9c9c2eac94c8d8d6bebd8aa4a81cbdcc

SHA1
b4c8e5132641cf8056d2baad886c7e3c353e76d9

SHA256
c9f8afbc7fa91a5480ebc833e1cd69f73eb6189402c36c42b7a7241f9af2344e

SHA512
ff79661f858ad2c893d19438e36aa9592ae308952f198ec7f6a57e6da763fd232a4e9c0f573185d8488ed3f9ab87bb19b350a4e0e99bf5a34379d02c182ad7e0

Download Submit
C:\Windows\SysWOW64\Ilnlom32.exe

Filesize
110KB

MD5
b56ace26181d0473d1dc039964e7bcdb

SHA1
f0b52c945fcb878539ffee20c727bde815828d3d

SHA256
38fce0ed7b3ec0717141b438173268f0b1ae2db554460d578070ccc6e9e1bbf1

SHA512
20574a9f11bd193103ca75dc0c0d28b5e3e97e4bfb76c88de32deb70c8b7cdbaebf6159e79bdc235d7fb1b62ff6ca66a74de23c086876dc7790bf37754b08e88

Download Submit
C:\Windows\SysWOW64\Ilphdlqh.exe

Filesize
110KB

MD5
64ae5db435f8450be4cedb310a2c6402

SHA1
428725b8d09e695e9b531404e9e0e107254fbe78

SHA256
669f87d2fdde3e548200f40f82dce7d1979181ea87dba47927df01f5758919d3

SHA512
631fcd7284ad3419cb32c2623859fdc7f49f2bcea0838540ba0dced53c8ccb102bfd202b38521b93b63ed9e85258c5b5c13a354d18f6f76e69579dbd89c8dbd7

Download Submit
C:\Windows\SysWOW64\Iondqhpl.exe

Filesize
110KB

MD5
63da266a56de2f013b9f2b81d99dd3ce

SHA1
ee891c034e1c94a0aa0b150ee9e9ed7716d358b4

SHA256
e789e5f37c1b37f7e810e0545503b3dde0ce941528c447efae547d0702b3d078

SHA512
75b3dac058a238dd65b16750f4987997ff42edb843d60891045133fc98ef112b8a774338f2ef9232d88572eee42e6bd8d3aa2588ce5a7dff2ed747e6dcfda151

Download Submit
C:\Windows\SysWOW64\Ipgkjlmg.exe

Filesize
110KB

MD5
be04e25b818e80d58a268858a209f9c3

SHA1
ecb6d4589336d00eefbae9c7ec3d2e5cc2c5f968

SHA256
fb35b50a4b6aa65daed6dfbc426461e023dd844e3b15006b87c001379d8df646

SHA512
f96f2ed49cb2486fc9f23a996d6117699435894ce32f9d5cb2931589dcd05e990fd036475611bfb6921b34f571de851d274029d35a90ff180bc84023d5463cbb

Download Submit
C:\Windows\SysWOW64\Jadgnb32.exe

Filesize
110KB

MD5
3a1fcbac2abb3b5db6873491d148b27f

SHA1
ee386a9aae5a1348dc6058c375e737c0cd23e36c

SHA256
d9c4c702f7a02fbbe54ffcaf6216d3bbba25f9ec724b1a211f5aca4dcaf5a50a

SHA512
cf9a5d821ff35b3e8b64ce9b5f549106fcdf58c5bf2a5d24d68154562078e8674bdb20206dd05faa61356ba025b2ae7284d8a9ad88a4e4884c8e20d51e49798f

Download Submit
C:\Windows\SysWOW64\Jafdcbge.exe

Filesize
110KB

MD5
3e6420482094e9d23e8a2adb1b021315

SHA1
c1330b1e6e92c3aadea91770c0b9e63601735332

SHA256
5c365de00d99f3ed6eceaedbd67ba3856fa7ca7eee99bff584071f427b752c23

SHA512
a91362d87de37d3f5c51e64fe562a4092461442c0837223249e0d59fe9a23f89881deed786cc0422d5e2a62f82a269fd5b02d10c5399e3575673108e51cec0d5

Download Submit
C:\Windows\SysWOW64\Jaonbc32.exe

Filesize
110KB

MD5
91c9395de9028c0c3cd2068163c91277

SHA1
2a3c9026526d842cb73e8a3014dc20b09c52c1c3

SHA256
3a293336388c8a21014765b6a6a30b48f28339ecb001f3bd84dc9574e609287c

SHA512
da051d3232e61525444bc75a8e60043393eb1ac58d65f008bd0c83767f20bbb78bc8ddbc7666ddb1321c05ca812ce85662926d5e5eabbf271299d7ecb92e1b53

Download Submit
C:\Windows\SysWOW64\Jhifomdj.exe

Filesize
110KB

MD5
52e1967e529c4f01fff02ea24548c09d

SHA1
225afba3cb0f39c6de42e7fe4293bef182d07e2f

SHA256
dbc168c8fe59fe7cebe804edd9c118b712756ed02caa930a0bcfa098bda44e31

SHA512
ad61690ab6bf54fe4949b596e990eab1abaf8b1460352a883d7184630d264a2c2f260da07eeb144a7d82f63a82f5277e8fa094976f6068195a6aec69c58795e7

Download Submit
C:\Windows\SysWOW64\Jhkbdmbg.exe

Filesize
110KB

MD5
ea8860bd30caed38c8f4c8144e85100b

SHA1
c4bceae0dbcc8b789ed7b4654b3b97a7c596db92

SHA256
be86007c78fe57959fc2e3375f23dab8438b737c580e818e9ac967bcb1269f94

SHA512
e11d3ed078383bd1babb2c56cd0b766d079c5b5438150246c4f34f5e96dbe49b3050fc106d80958f0b1563a2147df40ae0596b4bca741220e422fffe39dc6344

Download Submit
C:\Windows\SysWOW64\Jhnojl32.exe

Filesize
110KB

MD5
b9483df29cf8d909c5fc4f359049da5f

SHA1
ef6d0271289a0181c7731c089276e48717c508b7

SHA256
9b5b3bfed67ae72ad6434882967cd69fcba2c4ce791a8c2042899cd931cc8a6a

SHA512
de3fccc6a0dd6cf3346a6eb82cc34418a9e00ef6d62472c300db60b113469a809d19b3bc69733bbd050fc6620b24ae6ad1ed42dec7b1d323c0f74a1d06eb8d4b

Download Submit
C:\Windows\SysWOW64\Jlbejloe.exe

Filesize
110KB

MD5
6cae4bee215f00c8546b87e2b46e53c7

SHA1
1f6086d804b488b245b9e4f3188561c993decba8

SHA256
7b7d0c8fe74a674fa2700724f4aa04aea46c15581f4e005d77880250ef8786c7

SHA512
46f9d5727a393b4eb1d93f352c846f3d9053d0740d9adf601734532d72e1a680fd7dd6d4c23b15418442cea8c1f59dcff963b3245db3d270f97e337645b8a896

Download Submit
C:\Windows\SysWOW64\Jocnlg32.exe

Filesize
110KB

MD5
b9eda8adc8fd9e3a09e9566afe0faed2

SHA1
66f882080b8b5fa94af97f45471635ec190314f7

SHA256
af19c6882ff7b0ddf76542dc306458af2f37f20f5885f60ba00a278636c98791

SHA512
c764d3fd907f548b4420347985b3c4cc516de41948de3f63759e82fdffd93bff2e23de2c01de32293da695a00ff752e36a78bfc3b14e2b87c50b5a2e8cfa15bc

Download Submit
C:\Windows\SysWOW64\Jpgdai32.exe

Filesize
110KB

MD5
9173791f30946e3c3a8e21bd76781a48

SHA1
516ee6c83d5668bfc441bb5b2190f3695a81e7eb

SHA256
0eabf538fd2c21eae171263361ab9741799a7fb14927d453ae6ffbe8f23a57c5

SHA512
47f6ee993df46b8c9a6b8bcb7c8fd43af87a2cf7e0b27f82aa45dd187c3cc84527c18c993679e8b05c69a201879445c7c6981cefe8ca0ea55054e6bf70751b92

Download Submit
C:\Windows\SysWOW64\Kabcopmg.exe

Filesize
110KB

MD5
77913d8640980a54ff08bf068c6f9358

SHA1
aa9cf04350426b58a8769eb113020bf435fb8897

SHA256
89a49b196d1dbf209b602b35ec48298dfa05c393cc694791640ecbf8e773e445

SHA512
2b21c9ac2a66ff3a0ddaedc178aeeb80f66e68630c259d5a47d48cd26f781e764d5cefefe67cd6e73d5bd8a46fbe2b29d1bd6dfb223eb08223c418e8b53581b7

Download Submit
C:\Windows\SysWOW64\Kapfiqoj.exe

Filesize
110KB

MD5
ca6dd1d52e790f5aca11074fa412ffa1

SHA1
568237d232f2cdfb11e9446b7b632f3727b4deb1

SHA256
c867e30809b082bcfc0cdb146b9b68fde92a034d812a122883257515ac736650

SHA512
d214b7ed95acbc9671e309b2f07e78ced49826904d3b4d441947a1f7383a33dc80f435029f7d0de4b047bb16c39f3f4bde8b944adbd4adcb42c07f26af7856c6

Download Submit
C:\Windows\SysWOW64\Kedlip32.exe

Filesize
110KB

MD5
cbaf39f22c4e82a392e58856b751c23f

SHA1
84119317b514c7c9fb9b5029fe280041d23072cc

SHA256
399bceb0aa759c31e3ef1e6fdc6120467a351b0bd6b7f16d2924873c49271eae

SHA512
d9156b281e6b75e503ccab23287fc48c88a2e82ebf2444cd51fd04c702db503113013acea2ca313678c92e13ac15281022642b1c3d96131e4d151fe3a21859a5

Download Submit
C:\Windows\SysWOW64\Kefiopki.exe

Filesize
110KB

MD5
45bd38a10586670222b00aa2c6ca03ab

SHA1
8b3fd9a471fd3823c692b5e9e3d26916fed47a75

SHA256
e482917ba103d6e119af300c889b077b950ce4c3252a467fc7f4345fb9dadb28

SHA512
604be18491d0a449637ec0c74548e62a199708bbf6a98a2d5b02becc40f0fca610219cf87fc8e75e6bb729607923e504488dbed9f5f3b37054aa5ecea71da70f

Download Submit
C:\Windows\SysWOW64\Kheekkjl.exe

Filesize
110KB

MD5
32b567d3e716b21bfa0b9ccfdc923d5d

SHA1
228186f7a0fc08e4fa133e808a14a5d385d34b83

SHA256
dddd7eda4180f385ac4a6d1a297785435f8ad80a9385395fd02a6491ceacdf9f

SHA512
8d541d5a319e35e0125188f1f91b9d0d9b48a7c7957b73f27eae27db08ef85e73b0f32909fdf681ed48e6e8b3e17137f0b6e2a2c6d44bbc49d4f789242dab76a

Download Submit
C:\Windows\SysWOW64\Khlklj32.exe

Filesize
110KB

MD5
6ed0b582b041d9c53d026eac86a008de

SHA1
d4bb8cb1503c128ec2c060c3b0136ffaf4d0550f

SHA256
1dad6f24a0bf1477060969e6132c2936f14e24aa0e207909ee59442f6b7c69ef

SHA512
62d1f5813166dc2408521e230ce3cfba71b2303e59aa13276b03030e9daab7fba03faf52dfdafd65863f9902aa8b5a62eff0d66241985cd1a6def4884222f5af

Download Submit
C:\Windows\SysWOW64\Kidben32.exe

Filesize
110KB

MD5
71bd77c460c75a26e42dc429f269506c

SHA1
1301e3b41f1178ed93be3c5dc71bf4d73fa494ef

SHA256
84dce06e77a04de486d06a783a893fbeedc3ae96d577ce7c989be141781a67e2

SHA512
d9a10b6a3eafa385d6bfc5a8f20fc5d8ffa6027e2e191164947eeeed7f0f7441a08f6f727cf7b80338ff01c0fb059b7d91c37c4fa441655ef9746ca126d67a2f

Download Submit
C:\Windows\SysWOW64\Klndfj32.exe

Filesize
110KB

MD5
c8f65aa739bffd3b74fde206d3767e6b

SHA1
e8083d432bd42288bf6853054757eca823bd22fb

SHA256
da9f7753e4b06084325f7aaaec99633c0d9808d05b3d334cffcb7b7c806084f1

SHA512
2be0be55c0cf4161c823e3dc47ad761f8d52f3d5843193c2f9307ce6c09737f928762e404f65f831a344adbe8dffbb5f6cf6bdcf141b84b97e93370ec61c3a5b

Download Submit
C:\Windows\SysWOW64\Kofdhd32.exe

Filesize
110KB

MD5
35b9fb9e2ab60fac33cbb8a03f349834

SHA1
c651b1d33a7d6cf7c3590bed36b330e3da40d66e

SHA256
01b491f62e489ae5180dd2bf58ab029e76e1fa026ae07e3097d325dc6351f725

SHA512
d92984a6b954f7ef1a9e706dd1791c6a89e077964a9af9fa540aa0ae47059585682538d8ae13c81667e389387a06325ae94d21699992d88cce940a69f469a3ba

Download Submit
C:\Windows\SysWOW64\Kpnjah32.exe

Filesize
110KB

MD5
426d93297e7ed6860439edf1e286dd6d

SHA1
32d7351286a2fe18022283bd4b17947fcf8342e8

SHA256
380d9b268bba3fa89695b08a4d3cccf0221027bb271a391e0da0defd81edacf9

SHA512
8321e7022f5922be0658309f54524c26fe94ef5eed22944a9eba2e6d380dd1a90945f855a3f7f9f8a25455a03da74882df5df6349a53a870cc3080bee9fc58fb

Download Submit
C:\Windows\SysWOW64\Kpqggh32.exe

Filesize
110KB

MD5
3b2226709cef3d7e80b709087e65f17b

SHA1
2fd7d6f0e949828b715c94821a6e91df312eabcd

SHA256
daa8fe90551821fd20801431e76956869732b76621bd55922e8998fc229f3b2c

SHA512
45200162ad0d898bf49083b0d7042e89c0f2138c36e4bb0f33538941591d70f9d1851ab7c2ec51d651451a7745b3807e77a5f472934b4f71e375a4d0fb11c412

Download Submit
C:\Windows\SysWOW64\Laiipofp.exe

Filesize
110KB

MD5
85936113ad4ea81084910912dbc41523

SHA1
eda4a4c6872b8fdd0ddc4e7126160a406cb3ae3a

SHA256
042c50c230140347e37366858cf29af28f1feb7f7e944ae25e2846ca3066164b

SHA512
9d031c0290381ccc042eff5f03c733ef2a12f22663b1843d7c38c27ca4c8236c7d73bdc066018a82249eef10b938cae9ae80d1ff9068ce43d1a2f6cf12e15ba1

Download Submit
C:\Windows\SysWOW64\Lcclncbh.exe

Filesize
110KB

MD5
226a19c8abde55e49bc63836bdf5a4fd

SHA1
91617ba6d6525f4ab0498cd96c8502886f61b831

SHA256
0ddbbc97f6e14d8420b65bbe15d47fbcc96fbed2bdd6610c3b1672bd9b435b00

SHA512
4395d34ebb1fb222f7c7cafdb719d2286515c4ada45618816e7de8fc080963f46ac67e8c3de96662fc919cdbe5fa34562ca327221c7d3000a4cdf0fa7b26254d

Download Submit
C:\Windows\SysWOW64\Lepleocn.exe

Filesize
110KB

MD5
241735d5cd80a021b40555dd10299363

SHA1
ebe32626119497c2d49728d7df61493b4da26032

SHA256
8f59daf164d7f791ce057d665407a96156184a7efa08ddeba63b412919f52f85

SHA512
97ad36cdd4a563cc93cb72df87d6dd06f620f2a206e359a82d25a1e98001c46053878bd9e5e83ca6a3dfa72269cc1b96b9094c76244c736bb60690fcbd3ad893

Download Submit
C:\Windows\SysWOW64\Lhqefjpo.exe

Filesize
110KB

MD5
529600f7748ca839bdae17eb69569e3d

SHA1
200ccbb6081beb7c072ea26887683834861cdfcf

SHA256
5d7514c60533e0b86f007472fe294b21d1e3cc7a25453c88915f5cf61af01a51

SHA512
b7f38484bc77dc58e5254f786d80444ba1353743ed893d3d2e17565256bb91437a118a114d720f917361310b2d3dcb1898262da73df0eca55bd66867720c0f98

Download Submit
C:\Windows\SysWOW64\Ljpaqmgb.exe

Filesize
110KB

MD5
b9375343b2727b09529a16bf3f31e7a4

SHA1
14102998e47c285a06145cdac48e5288495cd746

SHA256
49ba35e0338e0155fdb058c15db6faa78db97351ac99328b322dc880ab660868

SHA512
a00c41f4440aeb53dfc2f5515a0d3a772094ab545eed8515936413742dac8f65ad48b456df6d7305427a95d8972b7ce0be5e5cdc2491c1c39b8a607d8195ca84

Download Submit
C:\Windows\SysWOW64\Mcdeeq32.exe

Filesize
110KB

MD5
09d8e25cd6ebd5a558c78aa40681c636

SHA1
bf031f5b83a5a98b54d61cec6efd500b7eb7bb02

SHA256
1c03f83a1cc6ca157d5262226fc4206782131ac49e3a11d3f5e63b69a00d9b8c

SHA512
2ffec7b2f518c10119ca360f2324110ae9c3edcaf84e353f5bbac3bc9223c9aa210d0b2907c9bab6b823c34a392ef2d6dfbd3f98062c645499f8bea0599433dc

Download Submit
C:\Windows\SysWOW64\Omalpc32.exe

Filesize
110KB

MD5
5b356bd4c71b9650ae722eba0041e854

SHA1
67dfb436126d7dc123c71a1149a08970d4c9caa0

SHA256
e05031ac04b8d5b96fe047168bca6987ed63a1b3d7ecae2d14c2c497cd5142c5

SHA512
2effe9cfe7af6c3330d13bf5a7755002e858dfca9fec36a03084f6ba4f02cb56e2ebd8771d4673867d8db48238ca321595b26ac2840dd999efed03b9925fa8fa

Download Submit
C:\Windows\SysWOW64\Pmhbqbae.exe

Filesize
110KB

MD5
1c9c283880c688fce7df37a0c24901cf

SHA1
eff4b28c4a432e7f4f9de1e2cfcfb16c1afb6575

SHA256
dffd3191556e7034ce446400997c50668b365207bcfdfeacf0fc5c92de6e0579

SHA512
028ec6700f254177a608f3d2bdcb16947a60c17bfc68781ef375efff83bc135223b4281f8316ca8a3fde124ce07c482b9d915a40e5b7ca326efbbfc17b0f6a98

Download Submit
memory/316-127-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/404-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/720-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/752-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/940-175-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/980-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1068-546-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1068-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1112-191-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1120-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1120-588-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1172-119-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1192-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1316-431-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1340-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1372-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1676-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1728-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1752-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1852-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1892-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1928-223-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1944-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2084-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2084-553-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2184-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2372-446-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2388-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2440-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2528-167-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2564-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2576-539-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2576-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2724-425-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2796-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2856-560-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2856-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2976-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2996-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3024-87-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3044-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3180-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3412-567-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3412-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3436-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3608-231-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3712-95-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3780-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3820-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3840-407-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3876-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3884-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3952-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3972-252-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4092-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4176-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4252-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4272-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4288-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4372-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4376-574-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4376-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4400-581-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4400-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4500-183-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4520-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4528-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4668-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4728-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4848-449-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4880-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5100-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5132-455-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5172-461-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5212-467-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5252-473-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5292-479-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5332-485-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5372-495-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5408-497-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5452-503-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5492-514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5528-515-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5572-521-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5620-527-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5692-533-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5732-540-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5780-547-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5840-554-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5912-561-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5956-570-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6004-575-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6052-582-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6096-589-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads