12789742c51fb9b0cc163f33ebe9b637a22ec3c3844fa6c1f9a5f0324e4045e8

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 01:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ebfc680f5bb071494a7f1a14a0e33d10N.exe
Size

192KB
MD5

ebfc680f5bb071494a7f1a14a0e33d10
SHA1

3653d67138619457c7406017cacb4fea713469c4
SHA256

12789742c51fb9b0cc163f33ebe9b637a22ec3c3844fa6c1f9a5f0324e4045e8
SHA512

6f9f0ccdb0ff8e8732c69a0977679ea09032eb29bba1ba94377185cb3f0e43b7ad7bb7155437a323edf25b0d45b4c7d4d4d721174ab46ac439b946fc2be2ddb9
SSDEEP

3072:KV8ISA91jvEUe8NHCv3kremwc/gHq/Wp+YmKfxgQdxvzSTsXXoT2z:K2IJ9NvKv3/fc/UmKyIxLDXXoqz

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdqcenmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbcedmnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlefjnno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iloajfml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ielfgmnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcoepkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nooikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nheqnpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgcmbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mafofggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khdoqefq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkhlcnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nomlek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbbnbemf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdmcdhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgdmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Janghmia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpchaqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Loopdmpk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inidkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcoepkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hejjanpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kejloi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Napameoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnpaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llkjmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocknbglo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilmedf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nheqnpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkcbnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjkbnfha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibbcfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qppkhfec.exe

Executes dropped EXE 64 IoCs

pid	Process
4832	Gglfbkin.exe
752	Gjkbnfha.exe
3292	Gbbkocid.exe
5028	Hkjohi32.exe
4576	Hebcao32.exe
4568	Hbfdjc32.exe
4732	Hgcmbj32.exe
3308	Hnmeodjc.exe
3736	Halaloif.exe
2356	Hgeihiac.exe
532	Hnpaec32.exe
1096	Hejjanpm.exe
5008	Hkcbnh32.exe
3300	Ielfgmnj.exe
2544	Ijiopd32.exe
1968	Ibpgqa32.exe
2860	Ibbcfa32.exe
3600	Iholohii.exe
4904	Inidkb32.exe
4460	Ilmedf32.exe
4352	Ibgmaqfl.exe
3384	Iloajfml.exe
5088	Jehfcl32.exe
624	Jblflp32.exe
1372	Janghmia.exe
2876	Jdmcdhhe.exe
3140	Jhkljfok.exe
4516	Jacpcl32.exe
2768	Jjkdlall.exe
812	Jddiegbm.exe
3776	Koimbpbc.exe
3320	Kdffjgpj.exe
3080	Koljgppp.exe
1212	Kefbdjgm.exe
3612	Khdoqefq.exe
4016	Kongmo32.exe
216	Kdkoef32.exe
4936	Klbgfc32.exe
4228	Kaopoj32.exe
3720	Kejloi32.exe
1888	Khihld32.exe
1832	Kdpiqehp.exe
3784	Lkiamp32.exe
2316	Lbqinm32.exe
5016	Leoejh32.exe
4340	Lbcedmnl.exe
1724	Llkjmb32.exe
2804	Lojfin32.exe
3636	Lahbei32.exe
2264	Ldfoad32.exe
1612	Lkqgno32.exe
2636	Lbhool32.exe
2476	Lajokiaa.exe
4244	Llpchaqg.exe
2556	Loopdmpk.exe
3416	Ldkhlcnb.exe
2792	Lhgdmb32.exe
4820	Mkepineo.exe
5160	Mclhjkfa.exe
5204	Mhiabbdi.exe
5244	Mcoepkdo.exe
5292	Memalfcb.exe
5332	Mkjjdmaj.exe
5372	Mcabej32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ielfgmnj.exe	Hkcbnh32.exe
File opened for modification	C:\Windows\SysWOW64\Jddiegbm.exe	Jjkdlall.exe
File opened for modification	C:\Windows\SysWOW64\Napameoi.exe	Noaeqjpe.exe
File created	C:\Windows\SysWOW64\Hjjcnl32.dll	Hkjohi32.exe
File created	C:\Windows\SysWOW64\Halaloif.exe	Hnmeodjc.exe
File opened for modification	C:\Windows\SysWOW64\Hejjanpm.exe	Hnpaec32.exe
File opened for modification	C:\Windows\SysWOW64\Klbgfc32.exe	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Okfbgiij.exe	Odljjo32.exe
File created	C:\Windows\SysWOW64\Inidkb32.exe	Iholohii.exe
File created	C:\Windows\SysWOW64\Eobdnbdn.dll	Okfbgiij.exe
File created	C:\Windows\SysWOW64\Bbndhppc.dll	Oflfdbip.exe
File created	C:\Windows\SysWOW64\Ompbfo32.dll	Hejjanpm.exe
File created	C:\Windows\SysWOW64\Gpmmbfem.dll	Ibgmaqfl.exe
File created	C:\Windows\SysWOW64\Ifkqol32.dll	Jddiegbm.exe
File created	C:\Windows\SysWOW64\Hgnfpc32.dll	Koljgppp.exe
File opened for modification	C:\Windows\SysWOW64\Kejloi32.exe	Kaopoj32.exe
File opened for modification	C:\Windows\SysWOW64\Khihld32.exe	Kejloi32.exe
File created	C:\Windows\SysWOW64\Dkheoa32.dll	Memalfcb.exe
File opened for modification	C:\Windows\SysWOW64\Halaloif.exe	Hnmeodjc.exe
File created	C:\Windows\SysWOW64\Epaaihpg.dll	Inidkb32.exe
File created	C:\Windows\SysWOW64\Dmehgibj.dll	Ilmedf32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepineo.exe	Lhgdmb32.exe
File created	C:\Windows\SysWOW64\Dcmlbk32.dll	Mkepineo.exe
File created	C:\Windows\SysWOW64\Jbjabqbh.dll	Mafofggd.exe
File created	C:\Windows\SysWOW64\Nheqnpjk.exe	Nchhfild.exe
File opened for modification	C:\Windows\SysWOW64\Hgeihiac.exe	Halaloif.exe
File created	C:\Windows\SysWOW64\Hkcbnh32.exe	Hejjanpm.exe
File created	C:\Windows\SysWOW64\Koimbpbc.exe	Jddiegbm.exe
File opened for modification	C:\Windows\SysWOW64\Lbcedmnl.exe	Leoejh32.exe
File opened for modification	C:\Windows\SysWOW64\Lajokiaa.exe	Lbhool32.exe
File created	C:\Windows\SysWOW64\Loopdmpk.exe	Llpchaqg.exe
File created	C:\Windows\SysWOW64\Cdghfg32.dll	Mcoepkdo.exe
File created	C:\Windows\SysWOW64\Peempn32.exe	Pkmhgh32.exe
File created	C:\Windows\SysWOW64\Mhinoa32.dll	Qppkhfec.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Afnlpohj.exe
File opened for modification	C:\Windows\SysWOW64\Ibbcfa32.exe	Ibpgqa32.exe
File created	C:\Windows\SysWOW64\Janghmia.exe	Jblflp32.exe
File opened for modification	C:\Windows\SysWOW64\Janghmia.exe	Jblflp32.exe
File created	C:\Windows\SysWOW64\Kongmo32.exe	Khdoqefq.exe
File created	C:\Windows\SysWOW64\Ndebln32.dll	Mcabej32.exe
File created	C:\Windows\SysWOW64\Nomlek32.exe	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Nkeipk32.exe	Nfiagd32.exe
File opened for modification	C:\Windows\SysWOW64\Afnlpohj.exe	Acppddig.exe
File created	C:\Windows\SysWOW64\Jehfcl32.exe	Iloajfml.exe
File opened for modification	C:\Windows\SysWOW64\Jblflp32.exe	Jehfcl32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcdhhe.exe	Janghmia.exe
File created	C:\Windows\SysWOW64\Mjlhjjnc.dll	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Gmoikj32.dll	Mepnaf32.exe
File created	C:\Windows\SysWOW64\Pmhegoin.dll	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Kmpaoopf.dll	Ijiopd32.exe
File opened for modification	C:\Windows\SysWOW64\Koljgppp.exe	Kdffjgpj.exe
File opened for modification	C:\Windows\SysWOW64\Llpchaqg.exe	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Mkepineo.exe	Lhgdmb32.exe
File created	C:\Windows\SysWOW64\Mclhjkfa.exe	Mkepineo.exe
File created	C:\Windows\SysWOW64\Cbpijjbj.dll	Nbdkhe32.exe
File opened for modification	C:\Windows\SysWOW64\Qfjcep32.exe	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Glbqbe32.dll	ebfc680f5bb071494a7f1a14a0e33d10N.exe
File created	C:\Windows\SysWOW64\Edpabila.dll	Gjkbnfha.exe
File created	C:\Windows\SysWOW64\Lcmgbngb.dll	Halaloif.exe
File created	C:\Windows\SysWOW64\Ijiopd32.exe	Ielfgmnj.exe
File created	C:\Windows\SysWOW64\Iloajfml.exe	Ibgmaqfl.exe
File opened for modification	C:\Windows\SysWOW64\Ldfoad32.exe	Lahbei32.exe
File created	C:\Windows\SysWOW64\Ffmnibme.dll	Nomlek32.exe
File created	C:\Windows\SysWOW64\Noaeqjpe.exe	Nkeipk32.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nooikj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peempn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Halaloif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbcedmnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmjhfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leoejh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obfhmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibbcfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkjjdmaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ielfgmnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahbei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loopdmpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omaeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnpaec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibgmaqfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbgfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaopoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nomlek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbnbemf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgcmbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfiagd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefjnno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkhfec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnmeodjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijiopd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iloajfml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kongmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mepnaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebfc680f5bb071494a7f1a14a0e33d10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibpgqa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdmcdhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfbgiij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfppoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akihcfid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgeihiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koimbpbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajokiaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nocbfjmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjckkcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmeoqlpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijlgkjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gglfbkin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkjohi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jddiegbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhiabbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hebcao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mafofggd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nheqnpjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjkdlall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkepineo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mahklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acppddig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Janghmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koljgppp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khdoqefq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhpgca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibbcfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibbcfa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbjabqbh.dll"	Mafofggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aannbg32.dll"	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koljgppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichnpf32.dll"	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbfdjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nchhfild.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hebcao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iloajfml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldkhlcnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nheqnpjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohpjh32.dll"	Hgcmbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacmli32.dll"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opepqban.dll"	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ebfc680f5bb071494a7f1a14a0e33d10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iholohii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khdoqefq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokjbgbf.dll"	Nooikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oljoen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnmeodjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdfnq32.dll"	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbdmc32.dll"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjkbnfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pddlig32.dll"	Hnmeodjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnpaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmehgibj.dll"	Ilmedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okahhpqj.dll"	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdjpphi.dll"	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjcnl32.dll"	Hkjohi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ielfgmnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epaaihpg.dll"	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkjohi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibpgqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfdfbqe.dll"	Khdoqefq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhejfl32.dll"	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfiagd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompbfo32.dll"	Hejjanpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojnjjli.dll"	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abggif32.dll"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhnjna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbikenl.dll"	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpijjbj.dll"	Nbdkhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhgdmb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 4832	4048	ebfc680f5bb071494a7f1a14a0e33d10N.exe	91
PID 4048 wrote to memory of 4832	4048	ebfc680f5bb071494a7f1a14a0e33d10N.exe	91
PID 4048 wrote to memory of 4832	4048	ebfc680f5bb071494a7f1a14a0e33d10N.exe	91
PID 4832 wrote to memory of 752	4832	Gglfbkin.exe	92
PID 4832 wrote to memory of 752	4832	Gglfbkin.exe	92
PID 4832 wrote to memory of 752	4832	Gglfbkin.exe	92
PID 752 wrote to memory of 3292	752	Gjkbnfha.exe	93
PID 752 wrote to memory of 3292	752	Gjkbnfha.exe	93
PID 752 wrote to memory of 3292	752	Gjkbnfha.exe	93
PID 3292 wrote to memory of 5028	3292	Gbbkocid.exe	94
PID 3292 wrote to memory of 5028	3292	Gbbkocid.exe	94
PID 3292 wrote to memory of 5028	3292	Gbbkocid.exe	94
PID 5028 wrote to memory of 4576	5028	Hkjohi32.exe	95
PID 5028 wrote to memory of 4576	5028	Hkjohi32.exe	95
PID 5028 wrote to memory of 4576	5028	Hkjohi32.exe	95
PID 4576 wrote to memory of 4568	4576	Hebcao32.exe	97
PID 4576 wrote to memory of 4568	4576	Hebcao32.exe	97
PID 4576 wrote to memory of 4568	4576	Hebcao32.exe	97
PID 4568 wrote to memory of 4732	4568	Hbfdjc32.exe	98
PID 4568 wrote to memory of 4732	4568	Hbfdjc32.exe	98
PID 4568 wrote to memory of 4732	4568	Hbfdjc32.exe	98
PID 4732 wrote to memory of 3308	4732	Hgcmbj32.exe	99
PID 4732 wrote to memory of 3308	4732	Hgcmbj32.exe	99
PID 4732 wrote to memory of 3308	4732	Hgcmbj32.exe	99
PID 3308 wrote to memory of 3736	3308	Hnmeodjc.exe	100
PID 3308 wrote to memory of 3736	3308	Hnmeodjc.exe	100
PID 3308 wrote to memory of 3736	3308	Hnmeodjc.exe	100
PID 3736 wrote to memory of 2356	3736	Halaloif.exe	101
PID 3736 wrote to memory of 2356	3736	Halaloif.exe	101
PID 3736 wrote to memory of 2356	3736	Halaloif.exe	101
PID 2356 wrote to memory of 532	2356	Hgeihiac.exe	102
PID 2356 wrote to memory of 532	2356	Hgeihiac.exe	102
PID 2356 wrote to memory of 532	2356	Hgeihiac.exe	102
PID 532 wrote to memory of 1096	532	Hnpaec32.exe	103
PID 532 wrote to memory of 1096	532	Hnpaec32.exe	103
PID 532 wrote to memory of 1096	532	Hnpaec32.exe	103
PID 1096 wrote to memory of 5008	1096	Hejjanpm.exe	104
PID 1096 wrote to memory of 5008	1096	Hejjanpm.exe	104
PID 1096 wrote to memory of 5008	1096	Hejjanpm.exe	104
PID 5008 wrote to memory of 3300	5008	Hkcbnh32.exe	105
PID 5008 wrote to memory of 3300	5008	Hkcbnh32.exe	105
PID 5008 wrote to memory of 3300	5008	Hkcbnh32.exe	105
PID 3300 wrote to memory of 2544	3300	Ielfgmnj.exe	106
PID 3300 wrote to memory of 2544	3300	Ielfgmnj.exe	106
PID 3300 wrote to memory of 2544	3300	Ielfgmnj.exe	106
PID 2544 wrote to memory of 1968	2544	Ijiopd32.exe	107
PID 2544 wrote to memory of 1968	2544	Ijiopd32.exe	107
PID 2544 wrote to memory of 1968	2544	Ijiopd32.exe	107
PID 1968 wrote to memory of 2860	1968	Ibpgqa32.exe	109
PID 1968 wrote to memory of 2860	1968	Ibpgqa32.exe	109
PID 1968 wrote to memory of 2860	1968	Ibpgqa32.exe	109
PID 2860 wrote to memory of 3600	2860	Ibbcfa32.exe	110
PID 2860 wrote to memory of 3600	2860	Ibbcfa32.exe	110
PID 2860 wrote to memory of 3600	2860	Ibbcfa32.exe	110
PID 3600 wrote to memory of 4904	3600	Iholohii.exe	111
PID 3600 wrote to memory of 4904	3600	Iholohii.exe	111
PID 3600 wrote to memory of 4904	3600	Iholohii.exe	111
PID 4904 wrote to memory of 4460	4904	Inidkb32.exe	112
PID 4904 wrote to memory of 4460	4904	Inidkb32.exe	112
PID 4904 wrote to memory of 4460	4904	Inidkb32.exe	112
PID 4460 wrote to memory of 4352	4460	Ilmedf32.exe	114
PID 4460 wrote to memory of 4352	4460	Ilmedf32.exe	114
PID 4460 wrote to memory of 4352	4460	Ilmedf32.exe	114
PID 4352 wrote to memory of 3384	4352	Ibgmaqfl.exe	115

C:\Users\Admin\AppData\Local\Temp\ebfc680f5bb071494a7f1a14a0e33d10N.exe
"C:\Users\Admin\AppData\Local\Temp\ebfc680f5bb071494a7f1a14a0e33d10N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\SysWOW64\Gglfbkin.exe
  C:\Windows\system32\Gglfbkin.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\SysWOW64\Gjkbnfha.exe
    C:\Windows\system32\Gjkbnfha.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\SysWOW64\Gbbkocid.exe
      C:\Windows\system32\Gbbkocid.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3292
    - - C:\Windows\SysWOW64\Hkjohi32.exe
        
        C:\Windows\system32\Hkjohi32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
      - C:\Windows\SysWOW64\Hebcao32.exe
        
        C:\Windows\system32\Hebcao32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Hbfdjc32.exe
        
        C:\Windows\system32\Hbfdjc32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Hnmeodjc.exe
        
        C:\Windows\system32\Hnmeodjc.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Halaloif.exe
        
        C:\Windows\system32\Halaloif.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Hgeihiac.exe
        
        C:\Windows\system32\Hgeihiac.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Hnpaec32.exe
        
        C:\Windows\system32\Hnpaec32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Hejjanpm.exe
        
        C:\Windows\system32\Hejjanpm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Hkcbnh32.exe
        
        C:\Windows\system32\Hkcbnh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Ielfgmnj.exe
        
        C:\Windows\system32\Ielfgmnj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Ijiopd32.exe
        
        C:\Windows\system32\Ijiopd32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Ibpgqa32.exe
        
        C:\Windows\system32\Ibpgqa32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Ibbcfa32.exe
        
        C:\Windows\system32\Ibbcfa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Iholohii.exe
        
        C:\Windows\system32\Iholohii.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Ilmedf32.exe
        
        C:\Windows\system32\Ilmedf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Iloajfml.exe
        
        C:\Windows\system32\Iloajfml.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        28⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\Jddiegbm.exe
        
        C:\Windows\system32\Jddiegbm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        49⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Llpchaqg.exe
        
        C:\Windows\system32\Llpchaqg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Loopdmpk.exe
        
        C:\Windows\system32\Loopdmpk.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\Ldkhlcnb.exe
        
        C:\Windows\system32\Ldkhlcnb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Lhgdmb32.exe
        
        C:\Windows\system32\Lhgdmb32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Mkepineo.exe
        
        C:\Windows\system32\Mkepineo.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\Mclhjkfa.exe
        
        C:\Windows\system32\Mclhjkfa.exe
        60⤵
        Executes dropped EXE
        
        PID:5160
        
        C:\Windows\SysWOW64\Mhiabbdi.exe
        
        C:\Windows\system32\Mhiabbdi.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Memalfcb.exe
        
        C:\Windows\system32\Memalfcb.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5332
        
        C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Mepnaf32.exe
        
        C:\Windows\system32\Mepnaf32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        67⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        79⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Nlefjnno.exe
        
        C:\Windows\system32\Nlefjnno.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Nbbnbemf.exe
        
        C:\Windows\system32\Nbbnbemf.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        88⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5516
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        105⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        107⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:6200
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:6424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4248,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8
1⤵
PID:5924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amhdmi32.exe

Filesize
192KB

MD5
4324fc59ff6a0c9d80a04970ec3d9806

SHA1
2517e563386d5c3758ab7f511bcbc7d95258edd2

SHA256
9782c0bbf4dce36d33e30aec6d97a4a34812361090788247b8beee5829f5ca3c

SHA512
894c4c419e36ed8ac8fb3ef9654e29656720c1bd9ac9e12466aef9951222f0392a8c1ddc194bc2d5ee5501c8535efe25f78a54a52fc79686f4c56c1bd0271f64

Download Submit
C:\Windows\SysWOW64\Gbbkocid.exe

Filesize
192KB

MD5
541803476e2ec09cbc9ca0744d06ae97

SHA1
40502e6f5f6745824e25379e3724f9c975167af7

SHA256
6cd26a7cbef20e7db884e63c581e733bc3d7f75d1a24be8cef38ad2127d48684

SHA512
56d3c1df31848a353f0233a83e4b965bb7181a90eebce660ac925415074b36006432aab640fa9add569ec9b3da2b4d3560b494a0a1d8d7754df9525ca0ac8a37

Download Submit
C:\Windows\SysWOW64\Gglfbkin.exe

Filesize
192KB

MD5
aefddb6298f17f33f7d9d775fa7570cd

SHA1
6f92ed6a5694abb50c0b633d18c4946c8ddb97e7

SHA256
f885fcae3d7e717a9824adeb1d146309895428588e5fb1811d92ab50e0435330

SHA512
b0e25949ebbe34d93f7280add919bb22466e20a4d726427463e430f21a0334cc9924dd110cd77192a63083be36fe0953bf73cd9c2c80bfb020911fc16514635b

Download Submit
C:\Windows\SysWOW64\Gjkbnfha.exe

Filesize
192KB

MD5
69093863ff9a6f2638d2a57f9ad6612a

SHA1
d42b91baf84f2b625760c4bd2c95adacd879e833

SHA256
3a847fdfd29a3ea0e485a5869e3690c1348c13fb6041205866ed9895fad49874

SHA512
38f4610da1cd7f52d64ce6a2f48f0fc3598affe2ca27798d7bcfa09687558e22853614481a4516a8e48b781515b372096eb69e940f2858adb027d8fb5f3cc1c3

Download Submit
C:\Windows\SysWOW64\Halaloif.exe

Filesize
192KB

MD5
13e5e696f7a68f973a168949abff1a4d

SHA1
c43da10e46a733190ecc1ba3091826b9d3e548d3

SHA256
fc4ba59cb8cd0fe45b4595f2c85f633c3badec8b267732f650567533c10e033a

SHA512
4391bbb65f0b49646f86e78ba30038b382cb31cd3153158f69dab150a27f6d5b1fbdedab1e2769248eb840ef5f060a0ba3f901188d8b06b855199d29f480bdab

Download Submit
C:\Windows\SysWOW64\Hbfdjc32.exe

Filesize
192KB

MD5
2929bc047b33cb37e642d3f010b13918

SHA1
6fe4aaa02072810b25635fcfe4584019ab19d61d

SHA256
4407c385ba77ef49807ba950750f82de69c561be42454fb0aabf2e8fb5aaa216

SHA512
c7b1184a31958a87b2ae9ee2bc1390eea4ee6190c80fbbfaa664a591bc77dab2c428f05663072fb94ba7bdecd0199e274013e5b7a84413ea737662d2a82bb75c

Download Submit
C:\Windows\SysWOW64\Hebcao32.exe

Filesize
192KB

MD5
dcf769575385d1ecf1eb659feb763817

SHA1
13c78dbc165aec6a40bb67cb8c13793d41ec2693

SHA256
92da75bc51a186e74dc8ce3b99452c5368877cf125de1288a3d0a7b849f4ba59

SHA512
843b0287ee0499c484c11016e1a3c92cd29eb54bc28139cc6b5dbe70b2db745e132a4289cda3d886f9a0634ac3cce8bef10f42b064b48fb30f7a61de5604173f

Download Submit
C:\Windows\SysWOW64\Hejjanpm.exe

Filesize
192KB

MD5
58a6921ab6427457582701867074b529

SHA1
9f3c403ef064cafba0a10d85726566ee3a659581

SHA256
f6ec69f2bbde4567e9f9d199d34ee259b24261ea8c2886af510eb75b83fd8dcd

SHA512
90bc56e6b0deb694e3b8e16c8f90d1a25f6b1ac7b62504998526a5ff3ab87d6a9dd4ce88fa594a50b14dab98856ce9d093f6237c4ee4cf3fffec71ebdaa956c2

Download Submit
C:\Windows\SysWOW64\Hgcmbj32.exe

Filesize
192KB

MD5
d138a27ee2d4d0a05c093145cb2fecf5

SHA1
807e41bdc06e570e29fd8ba72044a686c41ba477

SHA256
394c3e13f3970799ba181b7bd4f214b76fdc970704975b21008c151e9f3be271

SHA512
75ecedb75cca75006600cfa509f537ec7711c25c2143e93d73d67e1060e8d5c0aaf47f9c15d7b139d4cc9a761475a562f51152b4ec647e3e7bbe90a4d0a42258

Download Submit
C:\Windows\SysWOW64\Hgeihiac.exe

Filesize
192KB

MD5
71121708caeba6cf4de56ab9e37b7d20

SHA1
c5350c6415a961b29ac4e669197a0eeb8aad8467

SHA256
0a6a44378bd088b40a9aa1f5bd8ca5924b9e081f49b73dba70a55f0be466873b

SHA512
042b421b92dd233176b52c345ea273804d130a0e1c66fa8345ce442639de2e9e5da61e83084f419d35368527a43f8e1e7eae3581ddcd66e85019cec477e4cd31

Download Submit
C:\Windows\SysWOW64\Hjjcnl32.dll

Filesize
7KB

MD5
e01a2a31fffec1621983a97b2e08f4d8

SHA1
4dfac99973b20a7215531abd4d8e062b46413b6b

SHA256
0a9b3a3e44bc779e24fb1b46528628c60a90dd977519aed3082c9e86aee2c7c6

SHA512
08f0b2e8e447967405ed97d0f25f0600162e62885c4e59a6a0d70709c1a6d311063e481f8224a38b5a87ed968f6689ed95de83fd4733fe72c8af031ce316eb6a

Download Submit
C:\Windows\SysWOW64\Hkcbnh32.exe

Filesize
192KB

MD5
92d5734e41b7a9c8303821ae7e19eac8

SHA1
654fdf7e3ece85e1bc00671d1a407b32831f2538

SHA256
e45565836a430be129d197be828904e84947680f47325326d93fdc99a51d8f41

SHA512
e6093655fc53248515c6e0e7a5230212ab30e5d9da2a20c7b9b15c866a17f29a2451c0f3cba612061d74b86270546ad76cac58589150d4a495bbacb12f93e2d5

Download Submit
C:\Windows\SysWOW64\Hkjohi32.exe

Filesize
192KB

MD5
3512a9d9e279c20a34f21569a8eec818

SHA1
6553f3e499d01de3115bec374ac3ae035a0860bb

SHA256
9be9358b655172ba7b787df771b3eab0deb3cc7221d50d9996199a9c7997b5cf

SHA512
a30da410f8aa1b3a30ea654de76ec9c76965eb65d34bfa31b2119a9b84f312a8f495f51fe0d98bc713a8117d1731c6a08abf47a358f294c2f7d42c45ee158442

Download Submit
C:\Windows\SysWOW64\Hnmeodjc.exe

Filesize
192KB

MD5
a2934d3d6e3f36fa71900b08e735e17f

SHA1
f255ed7402bf0590ec7e0374dc97d3f5c6a7ae16

SHA256
f9564c066044dbda0703d4313cebc5d37c74826c3b04d17607c60af8e485861d

SHA512
f001cf0b07b3c84012f23e558a2575e5096123abe7c6ecf7f7fd7c904c55d77f75954ed9c1bd7f399da030eacf676d60bbe3a625da2f62f04a5e07797dd8f715

Download Submit
C:\Windows\SysWOW64\Hnpaec32.exe

Filesize
192KB

MD5
3fa6cd2d4b758aab8c0e487009f1181f

SHA1
12422be42c377a8da9820ce1cf43304723d8b921

SHA256
a980f48f6036148d5037713476684c2eec0e0bd97ba24a36ac83319d15baca7c

SHA512
7e5afdb3856e6bc4c5bdf46377ffc8a788bc8c7e2cbcc6bfbb5a4cdb4f9be61d3727f7d6f6939fb2080022eec0f8a991bdddd79594994001e76cffce6cd90156

Download Submit
C:\Windows\SysWOW64\Ibbcfa32.exe

Filesize
192KB

MD5
4772edcb0faa3e9c3b53f6b4d5a088b7

SHA1
a64dd739873864b23d48aee81e630bef0f371291

SHA256
982a144ecbff6aac45d0b90fe202714a18b1e234ca988c725931af5e00293341

SHA512
b3f8bacc8e01d912cdc5d1de2a63e54f9342f74cebadce95969676081c0faab39766057ae1097a824e3631e8f11daca2ae70e746d588fa23bfcbf0dd36e49101

Download Submit
C:\Windows\SysWOW64\Ibgmaqfl.exe

Filesize
192KB

MD5
34012dad5ac0156c13258745f8e24d37

SHA1
08acad88b19f0497f989dc9f129913dc1f6df985

SHA256
be58baf40a37e35832e64e9d6dcc7bb48c65153fab2c7056e1da50cdef5a96ea

SHA512
b9cc1ce2e7f42eb3d3f070c4f6f06306da6a2b33a2ec8315635cbbd64034949867d1b91750b0e1588379706e106783af87e9e23291b27b6d802c0c79c9702a97

Download Submit
C:\Windows\SysWOW64\Ibpgqa32.exe

Filesize
192KB

MD5
37bafdf9ca3083ba105ba1f72464e6e7

SHA1
e7341f4007de502f0885b3f5d33c32b16f7bc1fb

SHA256
a460c03c3e61c61c81d5553f74465ec2110f9e64ea26a57e1eac1d6df1f0a3f0

SHA512
5344d751e50251e953741c901550c18dc7dbfa089f0db059805cf218c95c29ee2c39100a1e269541373ed9022661869564a1a5803f2939be2160a284579089e3

Download Submit
C:\Windows\SysWOW64\Ielfgmnj.exe

Filesize
192KB

MD5
8b20003c549d3ab5c8301e648f12d7c4

SHA1
f25b8bfbb9b109b8ea3413992f3d3418ec5801a4

SHA256
a5377bcc4d446b40d77c01670a481e19c45839393db892d1b745b967d6a57d36

SHA512
7785e212556fabcca720fa6731462d57ef7fdf2f9d15d5e83cd7066aa53d93cbeb9848e347d5408a9d83f45f23854a8a10fda7253a26a789c381f10a179a1db8

Download Submit
C:\Windows\SysWOW64\Iholohii.exe

Filesize
192KB

MD5
56ea56ef4c6107fb7cfd8e1649a612ce

SHA1
c7be9d29cc1b5bb90a6a237c70dee89592233e68

SHA256
74ffa982a80c5574465998c0748271b108b8f9f2629291f40c80e67994f13854

SHA512
d865d0bcdfa7bd0049690cb11da7fd611025abceeccfc850a5e9edc49d8a2bca9f0c41d43e76fa06714a69d8f7fccb251f42d2576e122731bdf0b6a8fd5ea7cf

Download Submit
C:\Windows\SysWOW64\Ijiopd32.exe

Filesize
192KB

MD5
7eedc679e238297ff18fd15ca2a2ca52

SHA1
3a92ad51aa81ce99f31b76930cdf9e3c9b72fde6

SHA256
d722aba1148eb077d5c3dfb34a67161ac3d28a4cb0a61c5fac066d1ff07796ce

SHA512
310b09d02566b20b6f33f2d31aeb0a037ae0fb4fa83e1edf18df92c591e64f8c80154a39f4dc57aba16f75b0378a677c152df9eff7568168d36be90032c3a9d1

Download Submit
C:\Windows\SysWOW64\Ilmedf32.exe

Filesize
192KB

MD5
76a3fef19b7e529e8a241dbf4d836575

SHA1
544d29c5e1e38e4167954e8748b58a19f4075fde

SHA256
d6238376c61c6fadf99830131dc8ac5e5df16fc5639648c942f82d814ecceb06

SHA512
be4f16d2c0b3f9c5832e9f5a8c3d26dbb2d8186d252b4cd32eca8056ae4c60ca3a5091e90789757cb26a0388351ecba192637ee7c4a9dc0cdf2985f6ca1f68f0

Download Submit
C:\Windows\SysWOW64\Iloajfml.exe

Filesize
192KB

MD5
4c07197363126db51cabedb57316e37e

SHA1
04f60c16d455e03032ee1269f2ccf5cf9fd70407

SHA256
99411432281d8f6902bb4d5774a175fdd7c19a9d50a634cd3055c41a536f7c4c

SHA512
fbc2abc039555f410884e96d020c2bc796daae156388b5d06040d47b0cf1eae3bf5d3d6cadc3581ee7a5329e708a1b4db6a6268e1cbe2fb6894f674a8bf2f514

Download Submit
C:\Windows\SysWOW64\Inidkb32.exe

Filesize
192KB

MD5
09a71e564cad0c253bc63df1c24fab1d

SHA1
2c7e97e2bd20bc6753cc499b7be35c63adc92bc4

SHA256
b7b9c1791071259ae43dc3b0bdee6057346881863b66a9ebfc341cf228168e0a

SHA512
356ea1495f43c02ccd6868706dd0db076d493d9f7e1a17af15c9b40fc3dd25c1b67c037e812475bcd7fb5d73f5117f7d21efc9ce4fda5bf49b3596a2e68b3ee8

Download Submit
C:\Windows\SysWOW64\Jacpcl32.exe

Filesize
192KB

MD5
af2af8caba47ad73922d1be4c26feb36

SHA1
eeb2b9807cdc0be184b2bcdc85364ae9a8b7836b

SHA256
57d40cfdbe71c1139be850ba240977bb79ea3ba4d5576e5d55062c969ac00d17

SHA512
79b32fb76a02008a2b48b01e9ed7d15e99003ce54b71cd23c1e7bdf7cba35255af7dbba8c8a798e644700f4abad94f3370327939a01e78de42157b39368a1937

Download Submit
C:\Windows\SysWOW64\Janghmia.exe

Filesize
192KB

MD5
c38f96c52e2ac67b49275d6e3a0696d9

SHA1
2f817be33c1bc2ac1c2d4306f2f083f10238d941

SHA256
b8bead30dcc0a5043c35f1afe81567f7e7f8918656bacb0829963ebe66c050b2

SHA512
e69d965dade52d933ce10506d4a919287c2dc3965bbc5eeef7227103bdd7c0cd7b1e0261f7df759183d0cfbf0a6b491ad95fddaea5daceed9a32fc9013e79877

Download Submit
C:\Windows\SysWOW64\Jblflp32.exe

Filesize
192KB

MD5
0394a2f433100a3f8c97f62a8a8dfc85

SHA1
a54e10dd039f48d597be13cc37dabf748fa6611e

SHA256
7b37a7740241f6f306b4904f0b647a0f20d106025fe399b4d1650c26433bc135

SHA512
cda74f6fcbe18b17552c1d31eed320743149b3c59fbb6ac8847f43c3766a548bf5d295592bb46940e7c661b59acb18098f8193d100015d763fa764b516e14b66

Download Submit
C:\Windows\SysWOW64\Jddiegbm.exe

Filesize
192KB

MD5
7771269d4b198dc8675c4cad858fc34b

SHA1
5ad17226f70e40195500d13c9a66225fa08703bd

SHA256
534d6e48a8eb94796c50e527d0ffb2872de98a17bcff7b49ba5e89ac92b8dbf1

SHA512
1ded9c55c06e5af29e5875d8b1d5c30a5b39f00d4dca76ee28403a221206d5b45523d1dc105ecf6eb7e106e5517526d5507b644556dd8ce2410ad3b002f6adb5

Download Submit
C:\Windows\SysWOW64\Jdmcdhhe.exe

Filesize
192KB

MD5
68a3d3639aa4970f17acdba4b183d8b0

SHA1
4aa01f384a0d1b11756a11a061812ebc18c6e6f3

SHA256
0bfac144b74db37e2ca78bdeb80c1cc49e871c346c80b00e0ed5b393d361faf7

SHA512
90935eab24295bd7dc1a80c5d7320d186f0f7fd18175c7ba0bac0f9099fbe043e90933cf32c4b3a7285f96a7e62849367cb148cebd4a99cf727602250182f878

Download Submit
C:\Windows\SysWOW64\Jehfcl32.exe

Filesize
192KB

MD5
dc978e773136fd976d4ce9d0326ecfd8

SHA1
9bee191cc3949a879fa145ad9300fd297e45ec3d

SHA256
0cd53445740a205fe4f8ba530cf16d471dbdc2a0340d1291ae97c4b707d6d3a7

SHA512
c2003d48aca66dba55cc5e9435950c0402905e1cb85bfa82b7289812044da7d7599fd32808054ae446f42b51f762047e22129d08e3c990a39ab3fbe0b5d9bf8b

Download Submit
C:\Windows\SysWOW64\Jhkljfok.exe

Filesize
192KB

MD5
1449218d2795442946f2632f744f779b

SHA1
d4a288d0783e252e18e7da82c51152b7540f9f94

SHA256
941728ae3a7c3ced4e9b0145edffd81c884514ccb805fa331f6dffd78f522743

SHA512
b27d86c7417230f538998beed85b690ab8814d8ed25ab82c332cbff1388a3a69a2459013a2b96b51184b86f54fea51dfb90d5ac41db78f1174b5d129ffd1bbb1

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
192KB

MD5
91ef7ee60326247dc60dab1ddc66fe6c

SHA1
8e923c520dfdfc8a34680703a814276118df3717

SHA256
f4b059061bc7523d9e8b7096d13ba9854ddc2d2953dd83d07ba7ebcf817eb5ff

SHA512
579492b1e8b4779ad5af7db35ada116372c06c90d83cdbe000616da9f957b56c9922a9e859f0239331215692dda97061464105082d91d29cca29ddb8fbcea5d9

Download Submit
C:\Windows\SysWOW64\Kdffjgpj.exe

Filesize
192KB

MD5
df2d93d591239e276428517792aaf2ff

SHA1
2c976cb07752a80c1f83b8f0accae32246cc67e3

SHA256
95b8ea72bea76c25299d38f0e7b4eb861fb1791a042804c6f2431caeb87d5d1d

SHA512
265b923fc510a6eb80105fa35f32bd1179ca14fab289042002d461ee11c893883a768d2ec9358f769c419c5b2d834453dfe732c76832c6cd74450ec26e08f572

Download Submit
C:\Windows\SysWOW64\Koimbpbc.exe

Filesize
192KB

MD5
5cd7f3fb2da40fa1ead65f9afc9a2e87

SHA1
e379fcfde2db3f299006bb4a251d1f8d6212b1d3

SHA256
17572b178b519457c984e780c9a8e382b39cc54bb00c8e33b7bcd896b19035e6

SHA512
6dcd8a230558c96f2f684e6b14f46768f8beda94b25ef2647ec37337f0dcb3db91fa9fef26aa931af875d2bb7cc0ad189dc28bc7814a4c1750afb61c85651e97

Download Submit
C:\Windows\SysWOW64\Leoejh32.exe

Filesize
192KB

MD5
78670ff53847bc915fe4f638be45d74c

SHA1
582760cfc467e1e6aa0dc3dc41fbbf2d35e848b6

SHA256
ba2deaaf1304404aac588247f9e85a2054bfbf121b2e08a154cb417b5d2b0cd7

SHA512
7a160d785964bb9f7c6d713ff548c942a18d64f8ddd759ababdd0b3596dd30a446b9c558f92e59c85fcc925fe96a189799a42bd9f64bc73fd5bbea95dcef5212

Download Submit
C:\Windows\SysWOW64\Mhpgca32.exe

Filesize
192KB

MD5
63cbdda16cc1565bb17aa2939d89c02c

SHA1
9def5b9d92976a955dbdd3fa2c7c25c430f638ea

SHA256
c921267a80f8627665a4c5fd8bc4cf54318ceeb4638a2c8c88f2d3c16a9093f7

SHA512
c53908f820a272a66a052ce4934b153481e8bc4311f5ce92fece323a57009e410fd5e0ba5e4163944927cef1e3ed4398d59a72f199d47b1de97d7920fb17e11f

Download Submit
memory/216-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/532-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/624-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/752-558-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/752-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/812-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1096-100-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1212-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1372-204-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1612-375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1724-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1832-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1888-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1968-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2264-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2316-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2356-84-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2476-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2544-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2556-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2636-380-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2768-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2792-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2804-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2860-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2876-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3080-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3140-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3292-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3292-565-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3300-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3308-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3320-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3384-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3416-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3600-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3612-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3636-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3720-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3736-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3776-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3784-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4016-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4048-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4048-544-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4228-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4244-392-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4340-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4352-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4460-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4568-586-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4568-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4576-579-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4576-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4732-593-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4732-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4820-416-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4832-551-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4832-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4904-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4936-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5008-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5016-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5028-572-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5028-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5088-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5160-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5200-545-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5204-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5244-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5256-554-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5292-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5332-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5356-559-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5372-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5416-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5444-570-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5468-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5508-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5544-573-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5548-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5588-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5620-585-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5628-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5668-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5716-587-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5724-496-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5768-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5812-594-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5816-512-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5868-514-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5936-520-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5996-526-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/6060-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/6132-538-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads