80f39cafd3cb395e04115d6c2769d6a3c2fd529b0f328a5195b8579e21eba66d

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

926d344c1cd124d95d7ca4d21ff07f30N.exe
Size

187KB
MD5

926d344c1cd124d95d7ca4d21ff07f30
SHA1

2dfa69b9555923523404682f4d751d54106ddf20
SHA256

80f39cafd3cb395e04115d6c2769d6a3c2fd529b0f328a5195b8579e21eba66d
SHA512

d610125df50657a4d58027a22ea219806228248101cb4d5a6df56b90f734b58537ac7c600233d840228f3a836e34c0ee9a2809d88b34076f53554e047fed5546
SSDEEP

3072:HcYn6xJzwBu7/d6feYZl2NkzwH5GJks8WYlOWe7VsayDZVZev1N:/UJEM7/dlK9zwZ9s8SZq/svL

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnjbdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poidhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mafofggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pijcpmhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kongmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhpgca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfohjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mekdffee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mojopk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Napameoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Janghmia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdopjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcjldk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdbnmbhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	926d344c1cd124d95d7ca4d21ff07f30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jnnnfalp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjdokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjdokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfiagd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfjcep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohbjkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	926d344c1cd124d95d7ca4d21ff07f30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jddiegbm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iagqgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iagqgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkcccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcjldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfkpjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfnjbdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omcbkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mafofggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfiagd32.exe

Executes dropped EXE 64 IoCs

pid	Process
816	Iagqgn32.exe
4480	Ijpepcfj.exe
1364	Ibgmaqfl.exe
4264	Jnnnfalp.exe
3684	Jdjfohjg.exe
4068	Jjdokb32.exe
936	Janghmia.exe
2496	Jjgkab32.exe
3648	Jdopjh32.exe
4896	Jhkljfok.exe
2976	Jjihfbno.exe
3216	Jjkdlall.exe
4316	Jddiegbm.exe
932	Koimbpbc.exe
2772	Khabke32.exe
3860	Kajfdk32.exe
3628	Khdoqefq.exe
448	Kongmo32.exe
5000	Khfkfedn.exe
3988	Kaopoj32.exe
4188	Khihld32.exe
1528	Kocphojh.exe
1848	Kaaldjil.exe
1220	Loemnnhe.exe
3924	Leoejh32.exe
4916	Logicn32.exe
2844	Llkjmb32.exe
1428	Ledoegkm.exe
3212	Lkqgno32.exe
4748	Lajokiaa.exe
4812	Lkcccn32.exe
5096	Lcjldk32.exe
652	Lehhqg32.exe
2264	Mclhjkfa.exe
1864	Mekdffee.exe
4864	Mkgmoncl.exe
2784	Mcoepkdo.exe
4612	Mdpagc32.exe
2992	Mkjjdmaj.exe
2060	Mdbnmbhj.exe
4820	Mohbjkgp.exe
3828	Mafofggd.exe
836	Mhpgca32.exe
2220	Mojopk32.exe
3680	Mcfkpjng.exe
4840	Mdghhb32.exe
976	Nlnpio32.exe
3528	Nakhaf32.exe
3780	Nefdbekh.exe
2148	Nheqnpjk.exe
3324	Nfiagd32.exe
2776	Nlcidopb.exe
4632	Ncmaai32.exe
4592	Napameoi.exe
2572	Nhjjip32.exe
60	Nkhfek32.exe
4416	Nconfh32.exe
2408	Nfnjbdep.exe
5072	Nhlfoodc.exe
1336	Ncaklhdi.exe
5136	Odbgdp32.exe
5176	Okmpqjad.exe
5220	Obfhmd32.exe
5260	Ofbdncaj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pmjhlklg.exe	Pfppoa32.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Aealll32.exe
File created	C:\Windows\SysWOW64\Ohhbfe32.dll	Mcfkpjng.exe
File created	C:\Windows\SysWOW64\Eknanh32.dll	Nhjjip32.exe
File created	C:\Windows\SysWOW64\Gcdfnq32.dll	Ofbdncaj.exe
File created	C:\Windows\SysWOW64\Nhjjip32.exe	Napameoi.exe
File created	C:\Windows\SysWOW64\Mejcig32.dll	Nfnjbdep.exe
File created	C:\Windows\SysWOW64\Ofijnbkb.exe	Oooaah32.exe
File created	C:\Windows\SysWOW64\Qmckbjdl.exe	Qfjcep32.exe
File opened for modification	C:\Windows\SysWOW64\Pmjhlklg.exe	Pfppoa32.exe
File created	C:\Windows\SysWOW64\Qbngeadf.exe	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Aijlgkjq.exe	Abpcja32.exe
File created	C:\Windows\SysWOW64\Jjgkab32.exe	Janghmia.exe
File opened for modification	C:\Windows\SysWOW64\Llkjmb32.exe	Logicn32.exe
File created	C:\Windows\SysWOW64\Napameoi.exe	Ncmaai32.exe
File created	C:\Windows\SysWOW64\Clpkdlkd.dll	Oflfdbip.exe
File created	C:\Windows\SysWOW64\Aealll32.exe	Apddce32.exe
File created	C:\Windows\SysWOW64\Janghmia.exe	Jjdokb32.exe
File opened for modification	C:\Windows\SysWOW64\Khihld32.exe	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Fklociap.dll	Ncmaai32.exe
File opened for modification	C:\Windows\SysWOW64\Nhlfoodc.exe	Nfnjbdep.exe
File created	C:\Windows\SysWOW64\Aomqdipk.dll	Khfkfedn.exe
File opened for modification	C:\Windows\SysWOW64\Nconfh32.exe	Nkhfek32.exe
File created	C:\Windows\SysWOW64\Mkbdql32.dll	Oooaah32.exe
File opened for modification	C:\Windows\SysWOW64\Pbimjb32.exe	Pmmeak32.exe
File opened for modification	C:\Windows\SysWOW64\Qmanljfo.exe	Qejfkmem.exe
File opened for modification	C:\Windows\SysWOW64\Qppkhfec.exe	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Fkekkccb.dll	Mdbnmbhj.exe
File opened for modification	C:\Windows\SysWOW64\Mdghhb32.exe	Mcfkpjng.exe
File created	C:\Windows\SysWOW64\Abohmm32.dll	Nconfh32.exe
File created	C:\Windows\SysWOW64\Lchfjc32.dll	Okmpqjad.exe
File created	C:\Windows\SysWOW64\Qfjcep32.exe	Qbngeadf.exe
File opened for modification	C:\Windows\SysWOW64\Mdpagc32.exe	Mcoepkdo.exe
File created	C:\Windows\SysWOW64\Nheqnpjk.exe	Nefdbekh.exe
File created	C:\Windows\SysWOW64\Conllp32.dll	Piceflpi.exe
File created	C:\Windows\SysWOW64\Mfppnk32.dll	Qfjcep32.exe
File created	C:\Windows\SysWOW64\Mohbjkgp.exe	Mdbnmbhj.exe
File created	C:\Windows\SysWOW64\Oimlepla.dll	Nakhaf32.exe
File opened for modification	C:\Windows\SysWOW64\Pmhkflnj.exe	Pfncia32.exe
File opened for modification	C:\Windows\SysWOW64\Jhkljfok.exe	Jdopjh32.exe
File created	C:\Windows\SysWOW64\Koimbpbc.exe	Jddiegbm.exe
File created	C:\Windows\SysWOW64\Khfkfedn.exe	Kongmo32.exe
File created	C:\Windows\SysWOW64\Encnaa32.dll	Mcoepkdo.exe
File created	C:\Windows\SysWOW64\Piceflpi.exe	Pfeijqqe.exe
File opened for modification	C:\Windows\SysWOW64\Abpcja32.exe	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Jjgkab32.exe	Janghmia.exe
File created	C:\Windows\SysWOW64\Nlcidopb.exe	Nfiagd32.exe
File opened for modification	C:\Windows\SysWOW64\Okolfj32.exe	Ofbdncaj.exe
File created	C:\Windows\SysWOW64\Pnnggcqk.dll	Pmmeak32.exe
File created	C:\Windows\SysWOW64\Abpcja32.exe	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Khabke32.exe	Koimbpbc.exe
File opened for modification	C:\Windows\SysWOW64\Kongmo32.exe	Khdoqefq.exe
File created	C:\Windows\SysWOW64\Aocdjq32.dll	Mojopk32.exe
File created	C:\Windows\SysWOW64\Pijcpmhc.exe	Oflfdbip.exe
File created	C:\Windows\SysWOW64\Jnnnfalp.exe	Ibgmaqfl.exe
File opened for modification	C:\Windows\SysWOW64\Nhjjip32.exe	Napameoi.exe
File created	C:\Windows\SysWOW64\Omcbkl32.exe	Ofijnbkb.exe
File opened for modification	C:\Windows\SysWOW64\Omcbkl32.exe	Ofijnbkb.exe
File created	C:\Windows\SysWOW64\Oflfdbip.exe	Ocmjhfjl.exe
File opened for modification	C:\Windows\SysWOW64\Pfncia32.exe	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Qejfkmem.exe	Piceflpi.exe
File created	C:\Windows\SysWOW64\Ijpepcfj.exe	Iagqgn32.exe
File opened for modification	C:\Windows\SysWOW64\Jjkdlall.exe	Jjihfbno.exe
File opened for modification	C:\Windows\SysWOW64\Logicn32.exe	Leoejh32.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjgkab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjhlklg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhpgca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcidopb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibgmaqfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Janghmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mohbjkgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okmpqjad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piceflpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdbnmbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nheqnpjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkjjdmaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmaai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofijnbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kajfdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khfkfedn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leoejh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhlfoodc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okailj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfncia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkhfec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjcep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajokiaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khabke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odbgdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfnjbdep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijcpmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkqgno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbimjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loemnnhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcjldk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfiagd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Napameoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijlgkjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhkljfok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kongmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdpagc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	926d344c1cd124d95d7ca4d21ff07f30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lehhqg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nefdbekh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcbkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnnnfalp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkcccn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkgmoncl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcmpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koimbpbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piaiqlak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjkdlall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfkpjng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfeijqqe.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdjfohjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoggpbpn.dll"	Mekdffee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobdnbdn.dll"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kialcj32.dll"	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibgmaqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khecje32.dll"	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedkhf32.dll"	Khabke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kajfdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcoepkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimlepla.dll"	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmheb32.dll"	Iagqgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhbch32.dll"	Janghmia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kajfdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lehhqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nhjjip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknanh32.dll"	Nhjjip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehilac32.dll"	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kocphojh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkhfek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkheoa32.dll"	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijflc32.dll"	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfppnk32.dll"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fooqlnoa.dll"	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkgmoncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgglf32.dll"	926d344c1cd124d95d7ca4d21ff07f30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogpoiia.dll"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joboincl.dll"	Odbgdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knojng32.dll"	Poidhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	926d344c1cd124d95d7ca4d21ff07f30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcokoo32.dll"	Okolfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aealll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjbah32.dll"	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Logicn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomqdipk.dll"	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkcccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbngnmk.dll"	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgoikbje.dll"	Okailj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 816	4116	926d344c1cd124d95d7ca4d21ff07f30N.exe	91
PID 4116 wrote to memory of 816	4116	926d344c1cd124d95d7ca4d21ff07f30N.exe	91
PID 4116 wrote to memory of 816	4116	926d344c1cd124d95d7ca4d21ff07f30N.exe	91
PID 816 wrote to memory of 4480	816	Iagqgn32.exe	92
PID 816 wrote to memory of 4480	816	Iagqgn32.exe	92
PID 816 wrote to memory of 4480	816	Iagqgn32.exe	92
PID 4480 wrote to memory of 1364	4480	Ijpepcfj.exe	93
PID 4480 wrote to memory of 1364	4480	Ijpepcfj.exe	93
PID 4480 wrote to memory of 1364	4480	Ijpepcfj.exe	93
PID 1364 wrote to memory of 4264	1364	Ibgmaqfl.exe	95
PID 1364 wrote to memory of 4264	1364	Ibgmaqfl.exe	95
PID 1364 wrote to memory of 4264	1364	Ibgmaqfl.exe	95
PID 4264 wrote to memory of 3684	4264	Jnnnfalp.exe	96
PID 4264 wrote to memory of 3684	4264	Jnnnfalp.exe	96
PID 4264 wrote to memory of 3684	4264	Jnnnfalp.exe	96
PID 3684 wrote to memory of 4068	3684	Jdjfohjg.exe	97
PID 3684 wrote to memory of 4068	3684	Jdjfohjg.exe	97
PID 3684 wrote to memory of 4068	3684	Jdjfohjg.exe	97
PID 4068 wrote to memory of 936	4068	Jjdokb32.exe	98
PID 4068 wrote to memory of 936	4068	Jjdokb32.exe	98
PID 4068 wrote to memory of 936	4068	Jjdokb32.exe	98
PID 936 wrote to memory of 2496	936	Janghmia.exe	99
PID 936 wrote to memory of 2496	936	Janghmia.exe	99
PID 936 wrote to memory of 2496	936	Janghmia.exe	99
PID 2496 wrote to memory of 3648	2496	Jjgkab32.exe	100
PID 2496 wrote to memory of 3648	2496	Jjgkab32.exe	100
PID 2496 wrote to memory of 3648	2496	Jjgkab32.exe	100
PID 3648 wrote to memory of 4896	3648	Jdopjh32.exe	101
PID 3648 wrote to memory of 4896	3648	Jdopjh32.exe	101
PID 3648 wrote to memory of 4896	3648	Jdopjh32.exe	101
PID 4896 wrote to memory of 2976	4896	Jhkljfok.exe	102
PID 4896 wrote to memory of 2976	4896	Jhkljfok.exe	102
PID 4896 wrote to memory of 2976	4896	Jhkljfok.exe	102
PID 2976 wrote to memory of 3216	2976	Jjihfbno.exe	103
PID 2976 wrote to memory of 3216	2976	Jjihfbno.exe	103
PID 2976 wrote to memory of 3216	2976	Jjihfbno.exe	103
PID 3216 wrote to memory of 4316	3216	Jjkdlall.exe	105
PID 3216 wrote to memory of 4316	3216	Jjkdlall.exe	105
PID 3216 wrote to memory of 4316	3216	Jjkdlall.exe	105
PID 4316 wrote to memory of 932	4316	Jddiegbm.exe	106
PID 4316 wrote to memory of 932	4316	Jddiegbm.exe	106
PID 4316 wrote to memory of 932	4316	Jddiegbm.exe	106
PID 932 wrote to memory of 2772	932	Koimbpbc.exe	107
PID 932 wrote to memory of 2772	932	Koimbpbc.exe	107
PID 932 wrote to memory of 2772	932	Koimbpbc.exe	107
PID 2772 wrote to memory of 3860	2772	Khabke32.exe	108
PID 2772 wrote to memory of 3860	2772	Khabke32.exe	108
PID 2772 wrote to memory of 3860	2772	Khabke32.exe	108
PID 3860 wrote to memory of 3628	3860	Kajfdk32.exe	110
PID 3860 wrote to memory of 3628	3860	Kajfdk32.exe	110
PID 3860 wrote to memory of 3628	3860	Kajfdk32.exe	110
PID 3628 wrote to memory of 448	3628	Khdoqefq.exe	111
PID 3628 wrote to memory of 448	3628	Khdoqefq.exe	111
PID 3628 wrote to memory of 448	3628	Khdoqefq.exe	111
PID 448 wrote to memory of 5000	448	Kongmo32.exe	112
PID 448 wrote to memory of 5000	448	Kongmo32.exe	112
PID 448 wrote to memory of 5000	448	Kongmo32.exe	112
PID 5000 wrote to memory of 3988	5000	Khfkfedn.exe	113
PID 5000 wrote to memory of 3988	5000	Khfkfedn.exe	113
PID 5000 wrote to memory of 3988	5000	Khfkfedn.exe	113
PID 3988 wrote to memory of 4188	3988	Kaopoj32.exe	114
PID 3988 wrote to memory of 4188	3988	Kaopoj32.exe	114
PID 3988 wrote to memory of 4188	3988	Kaopoj32.exe	114
PID 4188 wrote to memory of 1528	4188	Khihld32.exe	115

C:\Users\Admin\AppData\Local\Temp\926d344c1cd124d95d7ca4d21ff07f30N.exe
"C:\Users\Admin\AppData\Local\Temp\926d344c1cd124d95d7ca4d21ff07f30N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\SysWOW64\Iagqgn32.exe
  C:\Windows\system32\Iagqgn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\Ijpepcfj.exe
    C:\Windows\system32\Ijpepcfj.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\SysWOW64\Ibgmaqfl.exe
      C:\Windows\system32\Ibgmaqfl.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
      - C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Jjdokb32.exe
        
        C:\Windows\system32\Jjdokb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Jddiegbm.exe
        
        C:\Windows\system32\Jddiegbm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Lkcccn32.exe
        
        C:\Windows\system32\Lkcccn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Lcjldk32.exe
        
        C:\Windows\system32\Lcjldk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\Lehhqg32.exe
        
        C:\Windows\system32\Lehhqg32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Mclhjkfa.exe
        
        C:\Windows\system32\Mclhjkfa.exe
        35⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Windows\SysWOW64\Mekdffee.exe
        
        C:\Windows\system32\Mekdffee.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Mkgmoncl.exe
        
        C:\Windows\system32\Mkgmoncl.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Mohbjkgp.exe
        
        C:\Windows\system32\Mohbjkgp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        48⤵
        Executes dropped EXE
        
        PID:976
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Nefdbekh.exe
        
        C:\Windows\system32\Nefdbekh.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        61⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        64⤵
        Executes dropped EXE
        
        PID:5220
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        66⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        71⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        72⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        80⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        81⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        90⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        100⤵
        
        PID:5844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4508,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:8
1⤵
PID:5456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aijlgkjq.exe

Filesize
187KB

MD5
73d1cd688217892767650f22b2753010

SHA1
70e7b89681da022794dcb51b8a8aaad630df4d8f

SHA256
727160afde70f6aac4e317126b7f285251d3d97f9c85e4d9319d28093333d0ee

SHA512
8434b9a06efbbb5b9d376dbba876c5ece2a1b1c5b9e1d5dd6dd4b46369a9bb3fb02fa11da3029f309b1730aa1dca2cd3467c8ea3d6e76a33973c61320147a61b

Download Submit
C:\Windows\SysWOW64\Fhkkfnao.dll

Filesize
7KB

MD5
ac07909fa647701848cf2a06fd598ea7

SHA1
b5ff7547e5bff6a5a294aa64286587e9e3a17c9d

SHA256
8a31aa02db85eafe1a4f6cb4b1e06f3c705150c1b1f621d12c1fbbfb73f7e6d2

SHA512
b05a6fdb8654537d512442d435acfd09bf6fc132bed76bbd2d4ddc6cdbba8ba5193e10693194492e13b207fc2db5f19e93a2c34b50394848aac95eef35768c7f

Download Submit
C:\Windows\SysWOW64\Iagqgn32.exe

Filesize
187KB

MD5
4084e5b3a7f7e8c009c069eca9f9033e

SHA1
1441be6de8097bb02e2e2e40ae6006262c949517

SHA256
4d9d9cd2e247e712b0b01b20998748220ed9e441436c8bd01b29b3392a54d2f7

SHA512
ac346a420e355b8e96047ea036d57f066e4941f01ff7566821c7b9c74144a900d05654ee3e10702d5cd656c8233ae3366a7d0be70884d3edcee7678f89b54b89

Download Submit
C:\Windows\SysWOW64\Ibgmaqfl.exe

Filesize
187KB

MD5
f51d69dfa04f135c10b6a3bf8838b7fe

SHA1
d50bd095c450cda684329d496a2465b79cef16bd

SHA256
fa915cd5101a4a26502fc8cf21c13b0c625b222964d180e284c600a220948530

SHA512
b1b0b8344867e1d81868ca261a0841089374f3e746a8a53c967c8d5c0c01f64ab9c0c546c258aff6f3d565a72c16b41637bcf0036a4197dbd1377303cc52928b

Download Submit
C:\Windows\SysWOW64\Ijpepcfj.exe

Filesize
187KB

MD5
34d1df2d2891202196189ed27872d63b

SHA1
3bd13fa28e71010ff43343269b7447279f2c6e6a

SHA256
b622f169a020cfccf2fb2e567d0e087d5a3adc8fdb944730249821c748e7320f

SHA512
8835aacb2eb5ada5fe422f0aefc3f956f3b59050852f19efb7f56003576cef248d1dea1baad077cd14f7182e2c61f5b0f207fbfcacc53a434f7c7a6a73fdfae5

Download Submit
C:\Windows\SysWOW64\Janghmia.exe

Filesize
187KB

MD5
9500b86b28a01b25da1129efba6ca304

SHA1
8a4fe1b9c74b48819d557037877d7b132c6e4e9f

SHA256
ec773df090c95cd886f456ffbdfaa56cb5098bcbca71c5cd683ae3b57cfd1772

SHA512
ccecd6a344d327210b29bf92bbb6a24c1ad3ecc111fc6f4b030dc68f3ee842768ba7d4a1fa427716fa5d28df7779c7c90b687b824692e5e9bce4e248ab67091c

Download Submit
C:\Windows\SysWOW64\Jddiegbm.exe

Filesize
187KB

MD5
412c7fcf5e47f594379b08259e8e7139

SHA1
e0786b71d02d45d780a30483b6f815280fe1c35a

SHA256
c66b21884b74cca5cf3d01851e668a74e0ccf0764df540b087e7b1dc593a45d9

SHA512
e9cb1936fa771688a76e484ea6b25bae7cfd9e914ad6f65ce2a98c4c3763a6ebde4e6807c31cc0d4da0e62912f24aa0ce2aea16f8dccc49c530e268f4236a84f

Download Submit
C:\Windows\SysWOW64\Jdjfohjg.exe

Filesize
187KB

MD5
20c5aef5041fac50fccb385a67e5ce06

SHA1
e80404f7010bf4f4e79f6e95dec5605eafbe3092

SHA256
97b5b7d64033680aa189966133584e128453022033edb9a80ab1c170ed5ef52c

SHA512
044b922644dfe2ebad701813776148ac2b2673e63cb6b713dbd354adcb9e0a62d788367806892eae2710a5f6cecdb50c71682f9e36d9f4e64326623db14f0617

Download Submit
C:\Windows\SysWOW64\Jdopjh32.exe

Filesize
187KB

MD5
6be338c197d64e87e6c4863693ad907a

SHA1
dc68372ea7fa78dbc7882202bfa66cc8977378c5

SHA256
6128ee1b477c7430a5870ee4c8b5ce2dc859b4de11700661270ede629597041d

SHA512
8498256aa7a5f92e4929fba50c0705e212c9d44b2fc8bb0020fc4aa6323271ecfcba5db2e0fe8eb5d0f0bc5a0b01c24547a839d20e6da48db501b74087796af5

Download Submit
C:\Windows\SysWOW64\Jhkljfok.exe

Filesize
187KB

MD5
9266f520a8cc0bd85bb4cde0ecc64fcb

SHA1
5c0559b63d48783467b0b39c4d6faef9ebf5c72b

SHA256
af4779cc16df90122f2da78c8116a3fba65264ae1391c7e88794349458936fef

SHA512
7532d549ed5a200793bd11eaea07a917809da461844e6bb79ba2277f4d17576e3fb99d7ef4515e99012b2aed8b1979bfb7ad5069839f89af6003a956ac196e56

Download Submit
C:\Windows\SysWOW64\Jjdokb32.exe

Filesize
187KB

MD5
5a7752362e39e536f51951b7817b9144

SHA1
7866eb4df11d6f183c14c2958438aab0a428cc00

SHA256
b560fb1cf4dd0f725fbaeaa33b5ee0b284fc63e388e7a4cd908858a4c0a87418

SHA512
e27e01689a03a15519ebb4889a9bac29c862317225d3cb09fe8eb5d0dffea58bcaa7f903cd05ae30e87347a66eabe81f37484045bfb7516ba61c5804e9f6302c

Download Submit
C:\Windows\SysWOW64\Jjgkab32.exe

Filesize
64KB

MD5
d176f42748408387674d12f18e35a98e

SHA1
2bd772f3b588ee92fbbcd8b8b400638182626bf1

SHA256
f8a73e92b06bb4c8632e98896ef65f75db00d897c3591fba92a0c05bf073cbe7

SHA512
fab0870479443e8b60877d53f628cd352f9224c02fbc107c80ea4c68ffc3b8447f62d242a5ac7c64a2a38a9347e4d27ea3735cecf95f02988f17d1b213e8feba

Download Submit
C:\Windows\SysWOW64\Jjgkab32.exe

Filesize
187KB

MD5
dd586e33d7d19c1ff46492cf047160a4

SHA1
e7fe96513ea2b5371d0a75c0b49024264f68eda1

SHA256
3f75f6341c86f555841e1c5dd4e0c6a941ad2c994ad71d44ad959ef045a534d4

SHA512
039a951a66d7dfe2411bf9c2a7fd1b08643e858a9370a872ce18b53a8c81eb51b5b31bd86ca74c5d035478b5a3fb4c7a28ad210735d4c6da76bd7eef894ed899

Download Submit
C:\Windows\SysWOW64\Jjihfbno.exe

Filesize
187KB

MD5
ec09755b2e35ab164d2cd25588248080

SHA1
2fa00a66b79e2e8de059020e6bff9e58a5cf9aa2

SHA256
36a13d32a19fb3027f695543085f8a0347af8140a00808780d45fb4e268eb7e0

SHA512
1a0e6cb9a8b398ed20b3d1eab3bfd4dcd8d67074e80eecd560605c428efab5f2e1abc7c743f30fc3f79b9f1801907e744e9b580565f5e8ba264ea9999d7b3f46

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
187KB

MD5
510d698c07c0266a212440cda46b6e57

SHA1
0b7e3fd2642123dd4b512095dec3f471a5495f7f

SHA256
1939d5b19e881025cc00c8facd5a7d073ddd01556c5482fb222870d806690a47

SHA512
42f9f55ee1cb60336c1bcb834053db6801c0602586d689fd37c8af8d34b84d2935464ce6817f4ed204e198b4edb6a55f37262be92dc4992e23ca2afae33232ed

Download Submit
C:\Windows\SysWOW64\Jnnnfalp.exe

Filesize
187KB

MD5
7bd47f9a9a6c737022226c867344ce54

SHA1
da119370ec92628b26c9e641e69bba5eb2a4be00

SHA256
7123710ec07bb6db0528d6e13cba8137f53359dfbf9070826356a2b946952391

SHA512
c9e38f1121e095142296d8a264eb807ce22d18a8a80786266c31bd16bbe010634751961174f359a9ef2a21da00953164e9b097d5004adbac182babaf41759161

Download Submit
C:\Windows\SysWOW64\Kaaldjil.exe

Filesize
187KB

MD5
a6768c6a61c72bdf09f4979cc6afd348

SHA1
39bf4d8c90bc2d05cf24c38203852f8201b3b67e

SHA256
28012da84e7001a164fed1e7bb2fb6f2e7ef6cac8817f102e886c03b45f7f114

SHA512
b3570a6838d846e9bfd7e9e89b876960b8546f2114c8ea581866e58a37d1e2f222c2b7e658e8ed28ad4d83b04a4d67a14b56208d2c36d72e7858df68693ea622

Download Submit
C:\Windows\SysWOW64\Kajfdk32.exe

Filesize
187KB

MD5
846e4be93b9b67791ea22331817f4bf4

SHA1
7b4067ef3ccd727a1a648a3abb2769232a14fc9f

SHA256
3b17b42168e8158f4714251084b7b66b4db5ab3938c542cacad7b321e32348fb

SHA512
fd70c6f5c1cbec183ae8269762e6691a6e735b492d9d5d97ac3e66a315eae69a662b98fca6ca64474456b7e2d051832fe42e280cdeaa1f339cff0c675afa8e9c

Download Submit
C:\Windows\SysWOW64\Kaopoj32.exe

Filesize
187KB

MD5
15388fd92d8955375a51e20b8e6f479d

SHA1
1aa74c3e30579999e9533432617cfe54c744eac9

SHA256
e7a6e50257d2adcb8f88d4c0fcfe70add9465c709051939df81c642a0534b12b

SHA512
5c68792e7ccf71bbc420db33ea346d538c71cf8908995c99cc33d2a65ff7a5285cd9a8bb0656602f6ca6350d958d7472ee412148814afca8673a3c6f0a9fa01b

Download Submit
C:\Windows\SysWOW64\Khabke32.exe

Filesize
187KB

MD5
165d0037fa934aaaa664dd683af359f9

SHA1
0f757909784cb9bfbd282f552a65ae7ba44c3c70

SHA256
109cedb0ceb85667d47e79d95b9e06d82c4ad7c0d878c4a2a4d6263bb0c79f0a

SHA512
e935e213ea624cf85a8cb22ae3c607e936f4e9acb06a57b1bdb8db01e4feaa002a194de5c8c3c8583b2f777a0f1fc972c46da70ad251fe3a077dc42ec4a8ee1a

Download Submit
C:\Windows\SysWOW64\Khdoqefq.exe

Filesize
187KB

MD5
c3651d3a79ecb22bbc0aa817cee03d0b

SHA1
e5cc613a7a1da77efb664c412305dc5f401ccd59

SHA256
359ac1e87e1b8a3f1f3da8baf4a2d20428a745d1c3981bb5bead16431e3c2030

SHA512
34efbad075bfdde3719c44146fdd0416fcec46f9c0d881a666a84fc697ced3bd5f5914f633245a0a3268c0267e7500a1b3abb710dbf76de137dff812582b4569

Download Submit
C:\Windows\SysWOW64\Khfkfedn.exe

Filesize
187KB

MD5
9bc3b9e11db5f651c07ae741c405123e

SHA1
7f32c4d41baae8555eaa2f77730ac4abaa19fcd2

SHA256
fd959075db22373ee5658fbb140aea66403dfc340d828f9a9387d266b3a42923

SHA512
b3f4fd3237ec108ed2fbfa9b50832c880301423b55d84455da8005dd0694705e73fadff9866d3bc12abfe22a0dd6406aaadef9fce28ae235909e5b561946dc1a

Download Submit
C:\Windows\SysWOW64\Khihld32.exe

Filesize
187KB

MD5
100df6c06ebae1c5e98fea836f47238c

SHA1
2fadef24b63d332f4a3eef8b89fd3e437bb2b1ff

SHA256
8608c77513890ecb446dc457f45fa5207aa5508e3dfcfb0b4e5cb11db6b6f177

SHA512
5081451c1a29cf9adbfc14c499d0b6991043466068bee612403125380801c8adbf16f67249639b13e0f8b04067cad9f7bfb0f26e20aeef2c33f28964daf37b6d

Download Submit
C:\Windows\SysWOW64\Kocphojh.exe

Filesize
187KB

MD5
6ac224161def66139a43d5d32e4d553e

SHA1
759a54b8b43b96ab16a4d3af2bdff4f024cd525d

SHA256
169ea2b2454f5366a35808a407758abf81b14b67ac95e6d2e60538f059a80885

SHA512
46ec025b7f2b057b4f69e589144811e132c26c98011129d537b386befd9e61fb5876f3a714f833c36f09563a3fa9fa0f48a0768440395f402a54bbc6f5839e51

Download Submit
C:\Windows\SysWOW64\Koimbpbc.exe

Filesize
187KB

MD5
d08941ecb2b81699518b7393087035e2

SHA1
73966484db4389d408d4fc50326aa08654c01a10

SHA256
478da57f7103a373df902b8a2fa82ddc729c8c02ad95640c6e1621ed8b014644

SHA512
a3eba2c561481cfeeb7332ceeda565faf0333f68908a4af533d325fd1f246d20f7a1bd2d47a02aaaa19cb73be66ed6a567fae5e61166c26d5159e4323835bf0e

Download Submit
C:\Windows\SysWOW64\Kongmo32.exe

Filesize
187KB

MD5
d282dc0e6607f3eb087388f5d07ec36e

SHA1
d9ee80793ac7a33a2b026668a8ee4a0cd56d3b5d

SHA256
af0698511da85461b82642640321a81258a7cd291a8c52033f003818f258eae2

SHA512
1be53b403b747bf4b066080f75ca87334eed1ff3468db41f02f48c154f92eaa0e2a790097754d0242de57718454d2275ab9eadbd49b662dee2f6aa0aad555014

Download Submit
C:\Windows\SysWOW64\Lajokiaa.exe

Filesize
187KB

MD5
c898083e5b724eab6d0e9d57d2137585

SHA1
fabd70116407213db24642372ce8bf21a3518a73

SHA256
ef07fb78cb65e9d33351e60a1c2d07a35807b2fa6305ecd1e61a36362f1115db

SHA512
b3803cad68b51aba2e02e9119f8b625db4db960444749a7209aaa7fc143cedf4638f6530087ebcfa553f90fc45b75a24b2c6a3038f2dc3d71a6e77018363ece7

Download Submit
C:\Windows\SysWOW64\Lcjldk32.exe

Filesize
187KB

MD5
50f7d764b9706deb8d8c49d5adce35a6

SHA1
5f173ea15ba86de61b4f2277295ce55d1b7f0a6d

SHA256
a9cb6e7e487b078cb0ef7d676b29871e3551cffa800f6d2d632468ce2ea9bd66

SHA512
86d8e1915da5db32b934993db70d5a05b4bc6f89d489e838285cc028b9ad817ae416bb4b3fd934ef582650abc6f485803fbaed76318d86913576ed1e72203e74

Download Submit
C:\Windows\SysWOW64\Ledoegkm.exe

Filesize
187KB

MD5
b13eee72947de0d3b53ea6f9666d9621

SHA1
5838c5afdecd343ccae7319460e3679510c26c0e

SHA256
57ddff9ae632b51e0b22c3977766d574293408780bb57bf3227fb3de933577f1

SHA512
2947077f22e5c05161900e287a94c52ec884648b09e42ed904451221797ec1cbcedc1d128c5adc75cc3dcdef9ec3db408e17ca7167d1172e20c5d46941166f25

Download Submit
C:\Windows\SysWOW64\Leoejh32.exe

Filesize
187KB

MD5
a22ecd48d6d4544c2ea0a2163a8f0cc1

SHA1
15040116cd3207b2a1f1dbc44de77e0b31873985

SHA256
a618de8783e62ad80a844825dad6ad6c6ddb32d272b1825a6744e4521c8faa27

SHA512
8935521c2b344a22b40a05b936ceb7cafbb8c3af72d8fc761b466c37e509fcab4ba68b0a5735673d2369843bfb61c80a13c78349a47adbe0958765d611d38295

Download Submit
C:\Windows\SysWOW64\Lkcccn32.exe

Filesize
187KB

MD5
1e61448c0fa5d060ce94956062f09faf

SHA1
857f7217807ef9eb594da68f8853869de45083cd

SHA256
d657b4b6130a1ff412b68984887ffe834b831e7d6cb8af256748038b9f7c30de

SHA512
68b80730c4e80ced1660666dfe8d3648881b594bf02a48b7639f7ac9b57dc6fc40ea12441a2e771e7bfa0783cf36837f742ebbb38fc70d013eb8baa25717a79c

Download Submit
C:\Windows\SysWOW64\Lkqgno32.exe

Filesize
187KB

MD5
91c22f5ed851ca9029cb715df5780a4d

SHA1
1698744fc673d0a191015b1b937ce777142221e7

SHA256
0248ad09dac1e03d7398feee017b9c7da00c12814372e45b3bb97e2e150c670a

SHA512
0433121ac7f24fadb73d81149190eefbd84372eff779e825e05937b59928deeff0b12b82202cbac32663e0cecddca1f572de3a0019377cf6c391ff9d3b807d97

Download Submit
C:\Windows\SysWOW64\Llkjmb32.exe

Filesize
187KB

MD5
04321f28fcc1f1d1ff8c102242422e50

SHA1
39581758e0e133662de92d19a6dca824f870ec51

SHA256
4782e1f2e5c0890a3f4aa3752c666be524c070fb4d02fda9be46396bbb1b4dc3

SHA512
5799193393862001a17fd2553ff5ff76d031ee99ecfb83dd4a7921e3cdbe923a47cca9c258e5346d0673a82b5701bb4562af6baaca590a940bd9c597292424b9

Download Submit
C:\Windows\SysWOW64\Loemnnhe.exe

Filesize
187KB

MD5
368db61349d530727d4f4ce0905fe8e1

SHA1
8d32c8f77a1f04438b0d2ff06ad846f5f4b5b7ce

SHA256
e5ad10c86c8962a4d08ee7ab8b4ce8bda4366e441f725228598ec0e57852f889

SHA512
52fe1fab487d41a56a7d97f58af15fc89b4405e814a8835c56b084ef31d860d79f18c7c395a21e374e8a85db4cd10c2ba6b13bd20fd29719756cf2a4d2882b55

Download Submit
C:\Windows\SysWOW64\Logicn32.exe

Filesize
187KB

MD5
4e6ba3f7bde15ad399a89c249cc4addf

SHA1
a848178c9e2d61550c472cac9308aeb771e8ada2

SHA256
4632eb65bd1dcdb1abbabd41191b46daa229fba5e01a23f83b53dd8429b5af66

SHA512
391bc7b4b7b7ffdc777600d71b87c302b829a5a898136334d092d6d543b4c81b70d5075580d6fec8eac8e15d6185e8d6c2cf7bd95f5c6f246877e001b33ba709

Download Submit
memory/60-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/448-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/652-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/816-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/816-551-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/836-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/932-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/936-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/936-593-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/976-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1220-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1336-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1364-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1364-565-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1428-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1528-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1848-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1864-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2060-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2264-272-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2408-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2496-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2772-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2776-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2844-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2976-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3212-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3216-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3324-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3528-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3628-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3648-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3680-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3684-579-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3684-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3780-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3828-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3860-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3924-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3988-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4068-590-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4068-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4116-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4116-544-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4188-173-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4264-572-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4264-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4316-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4416-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4480-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4480-558-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4592-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4612-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4632-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4748-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4812-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4820-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4840-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4864-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4896-84-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4916-208-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5072-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5096-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5136-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5176-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5216-571-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5220-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5260-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5268-578-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5304-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5344-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5352-580-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5384-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5428-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5436-591-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5468-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5504-598-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5508-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5548-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5588-496-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5628-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5668-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5728-514-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5768-520-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5824-531-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5860-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5944-538-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5984-545-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/6032-552-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/6132-559-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads