e1edb83567954708af41a5c9c975a40d8c6828d5de207965cba8f81a5d6e5d4f

Analysis

max time kernel
114s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 13:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a7f9d391fb69e9a0e6dc8d771e5e15f0N.exe
Size

1.2MB
MD5

a7f9d391fb69e9a0e6dc8d771e5e15f0
SHA1

bac2f82f75a1ec50bd261a359bafbd4f3cda00a4
SHA256

e1edb83567954708af41a5c9c975a40d8c6828d5de207965cba8f81a5d6e5d4f
SHA512

26a8d02f2d564d39a7c32bf7de803abceba61e380c8bc65e36027c8b48e7eb63a48bf27193287fdc1d9fa9b4eeb0a6c6b3619db4233efbb9355d8b177c39cfbe
SSDEEP

24576:ZbnWFr+gu5YyCtCCm0BKh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YR:dYr+gu5RCtCXbazR0vk

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iojkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a7f9d391fb69e9a0e6dc8d771e5e15f0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piapkbeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfccogfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcoljagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noppeaed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a7f9d391fb69e9a0e6dc8d771e5e15f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kamjda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lafmjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laiipofp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookoaokf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpepbgbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ockdmmoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kiikpnmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loofnccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojcpdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpnjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdnln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqhfoebo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llnnmhfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbepme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbnlaldg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lindkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lancko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kplmliko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Objkmkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piocecgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhanngbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbdiknlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kapfiqoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbekii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiikpnmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfbaalbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oblhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kifojnol.exe

Executes dropped EXE 64 IoCs

pid	Process
1116	Ieojgc32.exe
4384	Iojkeh32.exe
1808	Ibgdlg32.exe
1604	Joqafgni.exe
1928	Joekag32.exe
2988	Jpegkj32.exe
3608	Jpgdai32.exe
4176	Jbepme32.exe
1060	Khbiello.exe
4840	Kbhmbdle.exe
948	Kplmliko.exe
3140	Kamjda32.exe
4272	Khgbqkhj.exe
4740	Kpnjah32.exe
4680	Kapfiqoj.exe
516	Kifojnol.exe
3204	Kabcopmg.exe
3252	Kiikpnmj.exe
1944	Klggli32.exe
3176	Kofdhd32.exe
944	Kadpdp32.exe
4232	Lhnhajba.exe
4156	Lpepbgbd.exe
1112	Lafmjp32.exe
3048	Lindkm32.exe
5080	Lpgmhg32.exe
1264	Laiipofp.exe
4464	Ljpaqmgb.exe
3604	Llnnmhfe.exe
4600	Lomjicei.exe
764	Lakfeodm.exe
4240	Ljbnfleo.exe
4236	Loofnccf.exe
4064	Lancko32.exe
4940	Lhgkgijg.exe
2528	Lpochfji.exe
4476	Lcmodajm.exe
2040	Mfkkqmiq.exe
3436	Mhjhmhhd.exe
452	Mpapnfhg.exe
2976	Mcoljagj.exe
5128	Mjidgkog.exe
5168	Mlhqcgnk.exe
5208	Mofmobmo.exe
5248	Mbdiknlb.exe
5288	Mhoahh32.exe
5328	Mpeiie32.exe
5368	Mcdeeq32.exe
5408	Mfbaalbi.exe
5448	Mhanngbl.exe
5496	Mqhfoebo.exe
5528	Mbibfm32.exe
5568	Mhckcgpj.exe
5608	Mqjbddpl.exe
5648	Nciopppp.exe
5688	Nfgklkoc.exe
5728	Nmaciefp.exe
5768	Noppeaed.exe
5808	Nbnlaldg.exe
5848	Nhhdnf32.exe
5888	Nqoloc32.exe
5928	Ncmhko32.exe
5968	Njgqhicg.exe
6008	Nmfmde32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nbnlaldg.exe	Noppeaed.exe
File opened for modification	C:\Windows\SysWOW64\Ncmhko32.exe	Nqoloc32.exe
File created	C:\Windows\SysWOW64\Pafkgphl.exe	Piocecgj.exe
File opened for modification	C:\Windows\SysWOW64\Nciopppp.exe	Mqjbddpl.exe
File created	C:\Windows\SysWOW64\Benibond.dll	Jpgdai32.exe
File opened for modification	C:\Windows\SysWOW64\Lpgmhg32.exe	Lindkm32.exe
File created	C:\Windows\SysWOW64\Ljbnfleo.exe	Lakfeodm.exe
File opened for modification	C:\Windows\SysWOW64\Lcmodajm.exe	Lpochfji.exe
File created	C:\Windows\SysWOW64\Ncmhko32.exe	Nqoloc32.exe
File created	C:\Windows\SysWOW64\Pqbala32.exe	Oikjkc32.exe
File opened for modification	C:\Windows\SysWOW64\Ibgdlg32.exe	Iojkeh32.exe
File created	C:\Windows\SysWOW64\Lomjicei.exe	Llnnmhfe.exe
File created	C:\Windows\SysWOW64\Mpeiie32.exe	Mhoahh32.exe
File opened for modification	C:\Windows\SysWOW64\Mhckcgpj.exe	Mbibfm32.exe
File created	C:\Windows\SysWOW64\Ibgdlg32.exe	Iojkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Mbibfm32.exe	Mqhfoebo.exe
File created	C:\Windows\SysWOW64\Nhhdnf32.exe	Nbnlaldg.exe
File created	C:\Windows\SysWOW64\Lfgnho32.dll	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Hmjbog32.dll	Joekag32.exe
File created	C:\Windows\SysWOW64\Ohfkgknc.dll	Mpapnfhg.exe
File created	C:\Windows\SysWOW64\Nmaciefp.exe	Nfgklkoc.exe
File created	C:\Windows\SysWOW64\Ofjqihnn.exe	Ockdmmoj.exe
File created	C:\Windows\SysWOW64\Lpepbgbd.exe	Lhnhajba.exe
File created	C:\Windows\SysWOW64\Bihice32.dll	Omalpc32.exe
File created	C:\Windows\SysWOW64\Dhlbgmif.dll	Pbjddh32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdnln32.exe	Nqfbpb32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbala32.exe	Oikjkc32.exe
File opened for modification	C:\Windows\SysWOW64\Pcpnhl32.exe	Pqbala32.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Pfhmjf32.exe
File created	C:\Windows\SysWOW64\Joqafgni.exe	Ibgdlg32.exe
File opened for modification	C:\Windows\SysWOW64\Joqafgni.exe	Ibgdlg32.exe
File created	C:\Windows\SysWOW64\Hlqeenhm.dll	Kbhmbdle.exe
File opened for modification	C:\Windows\SysWOW64\Lakfeodm.exe	Lomjicei.exe
File created	C:\Windows\SysWOW64\Ojcpdg32.exe	Oblhcj32.exe
File created	C:\Windows\SysWOW64\Jlgfga32.dll	Kamjda32.exe
File opened for modification	C:\Windows\SysWOW64\Ljbnfleo.exe	Lakfeodm.exe
File opened for modification	C:\Windows\SysWOW64\Mcdeeq32.exe	Mpeiie32.exe
File created	C:\Windows\SysWOW64\Ceohefin.dll	Mfbaalbi.exe
File opened for modification	C:\Windows\SysWOW64\Mqhfoebo.exe	Mhanngbl.exe
File opened for modification	C:\Windows\SysWOW64\Laiipofp.exe	Lpgmhg32.exe
File created	C:\Windows\SysWOW64\Mjidgkog.exe	Mcoljagj.exe
File created	C:\Windows\SysWOW64\Ocdnln32.exe	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Fknofqcc.dll	Piocecgj.exe
File created	C:\Windows\SysWOW64\Mcoljagj.exe	Mpapnfhg.exe
File created	C:\Windows\SysWOW64\Anafep32.dll	Mcoljagj.exe
File created	C:\Windows\SysWOW64\Akmcfjdp.dll	Nhhdnf32.exe
File created	C:\Windows\SysWOW64\Qidpon32.dll	Njgqhicg.exe
File created	C:\Windows\SysWOW64\Mneoha32.dll	Jpegkj32.exe
File opened for modification	C:\Windows\SysWOW64\Kofdhd32.exe	Klggli32.exe
File created	C:\Windows\SysWOW64\Mpapnfhg.exe	Mhjhmhhd.exe
File opened for modification	C:\Windows\SysWOW64\Mpapnfhg.exe	Mhjhmhhd.exe
File created	C:\Windows\SysWOW64\Nnndji32.dll	Oiccje32.exe
File created	C:\Windows\SysWOW64\Mleggmck.dll	Lafmjp32.exe
File created	C:\Windows\SysWOW64\Fdflknog.dll	Mhjhmhhd.exe
File created	C:\Windows\SysWOW64\Pfigmnlg.dll	Nmfmde32.exe
File created	C:\Windows\SysWOW64\Oblhcj32.exe	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Iheocj32.dll	Pbekii32.exe
File created	C:\Windows\SysWOW64\Aemghi32.dll	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Mgccelpk.dll	Mhanngbl.exe
File opened for modification	C:\Windows\SysWOW64\Nofefp32.exe	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Aadafn32.dll	Nofefp32.exe
File opened for modification	C:\Windows\SysWOW64\Lhnhajba.exe	Kadpdp32.exe
File created	C:\Windows\SysWOW64\Nfgklkoc.exe	Nciopppp.exe
File opened for modification	C:\Windows\SysWOW64\Nmaciefp.exe	Nfgklkoc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6928	6784	WerFault.exe	194

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lafmjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbdiknlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbibfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgklkoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbekii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieojgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Joqafgni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kapfiqoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmhko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ommceclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgkgijg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmodajm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcegclgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpeaoih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpegkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laiipofp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookoaokf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obqanjdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kifojnol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhhdnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pakdbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljbnfleo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcoljagj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omalpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhqcgnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqklkbbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lomjicei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojnfihmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplhhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lindkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcdeeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opbean32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjaleemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhmjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Joekag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadpdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfkkqmiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhoahh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafkgphl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kabcopmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhanngbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmaciefp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oikjkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pififb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lakfeodm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njgqhicg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piapkbeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdnln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgdai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klggli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofmobmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfbaalbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbnlaldg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfccogfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbepme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjidgkog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhckcgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nimmifgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omdieb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khbiello.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oblhcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojcpdg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lakfeodm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjidgkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpqiega.dll"	Mcdeeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qidpon32.dll"	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghaeocdd.dll"	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oikjkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Joqafgni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onnnbnbp.dll"	Pafkgphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Loofnccf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iojkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfigmnlg.dll"	Nmfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdockf32.dll"	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a7f9d391fb69e9a0e6dc8d771e5e15f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndfnlpc.dll"	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceohefin.dll"	Mfbaalbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llnnmhfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbnlaldg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odibfg32.dll"	Pfojdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iheocj32.dll"	Pbekii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbhmbdle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lafmjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kiikpnmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkoiaif.dll"	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Piocecgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqoloc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Niojoeel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oikjkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qckcba32.dll"	Pqbala32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Piocecgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfbaalbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqbala32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lafmjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjphcf32.dll"	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgfga32.dll"	Kamjda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnpn32.dll"	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcdeeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ockdmmoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khgbqkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjoiip32.dll"	Mqhfoebo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Joekag32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 1116	4152	a7f9d391fb69e9a0e6dc8d771e5e15f0N.exe	89
PID 4152 wrote to memory of 1116	4152	a7f9d391fb69e9a0e6dc8d771e5e15f0N.exe	89
PID 4152 wrote to memory of 1116	4152	a7f9d391fb69e9a0e6dc8d771e5e15f0N.exe	89
PID 1116 wrote to memory of 4384	1116	Ieojgc32.exe	90
PID 1116 wrote to memory of 4384	1116	Ieojgc32.exe	90
PID 1116 wrote to memory of 4384	1116	Ieojgc32.exe	90
PID 4384 wrote to memory of 1808	4384	Iojkeh32.exe	91
PID 4384 wrote to memory of 1808	4384	Iojkeh32.exe	91
PID 4384 wrote to memory of 1808	4384	Iojkeh32.exe	91
PID 1808 wrote to memory of 1604	1808	Ibgdlg32.exe	92
PID 1808 wrote to memory of 1604	1808	Ibgdlg32.exe	92
PID 1808 wrote to memory of 1604	1808	Ibgdlg32.exe	92
PID 1604 wrote to memory of 1928	1604	Joqafgni.exe	93
PID 1604 wrote to memory of 1928	1604	Joqafgni.exe	93
PID 1604 wrote to memory of 1928	1604	Joqafgni.exe	93
PID 1928 wrote to memory of 2988	1928	Joekag32.exe	95
PID 1928 wrote to memory of 2988	1928	Joekag32.exe	95
PID 1928 wrote to memory of 2988	1928	Joekag32.exe	95
PID 2988 wrote to memory of 3608	2988	Jpegkj32.exe	96
PID 2988 wrote to memory of 3608	2988	Jpegkj32.exe	96
PID 2988 wrote to memory of 3608	2988	Jpegkj32.exe	96
PID 3608 wrote to memory of 4176	3608	Jpgdai32.exe	97
PID 3608 wrote to memory of 4176	3608	Jpgdai32.exe	97
PID 3608 wrote to memory of 4176	3608	Jpgdai32.exe	97
PID 4176 wrote to memory of 1060	4176	Jbepme32.exe	98
PID 4176 wrote to memory of 1060	4176	Jbepme32.exe	98
PID 4176 wrote to memory of 1060	4176	Jbepme32.exe	98
PID 1060 wrote to memory of 4840	1060	Khbiello.exe	99
PID 1060 wrote to memory of 4840	1060	Khbiello.exe	99
PID 1060 wrote to memory of 4840	1060	Khbiello.exe	99
PID 4840 wrote to memory of 948	4840	Kbhmbdle.exe	100
PID 4840 wrote to memory of 948	4840	Kbhmbdle.exe	100
PID 4840 wrote to memory of 948	4840	Kbhmbdle.exe	100
PID 948 wrote to memory of 3140	948	Kplmliko.exe	101
PID 948 wrote to memory of 3140	948	Kplmliko.exe	101
PID 948 wrote to memory of 3140	948	Kplmliko.exe	101
PID 3140 wrote to memory of 4272	3140	Kamjda32.exe	102
PID 3140 wrote to memory of 4272	3140	Kamjda32.exe	102
PID 3140 wrote to memory of 4272	3140	Kamjda32.exe	102
PID 4272 wrote to memory of 4740	4272	Khgbqkhj.exe	103
PID 4272 wrote to memory of 4740	4272	Khgbqkhj.exe	103
PID 4272 wrote to memory of 4740	4272	Khgbqkhj.exe	103
PID 4740 wrote to memory of 4680	4740	Kpnjah32.exe	104
PID 4740 wrote to memory of 4680	4740	Kpnjah32.exe	104
PID 4740 wrote to memory of 4680	4740	Kpnjah32.exe	104
PID 4680 wrote to memory of 516	4680	Kapfiqoj.exe	105
PID 4680 wrote to memory of 516	4680	Kapfiqoj.exe	105
PID 4680 wrote to memory of 516	4680	Kapfiqoj.exe	105
PID 516 wrote to memory of 3204	516	Kifojnol.exe	106
PID 516 wrote to memory of 3204	516	Kifojnol.exe	106
PID 516 wrote to memory of 3204	516	Kifojnol.exe	106
PID 3204 wrote to memory of 3252	3204	Kabcopmg.exe	107
PID 3204 wrote to memory of 3252	3204	Kabcopmg.exe	107
PID 3204 wrote to memory of 3252	3204	Kabcopmg.exe	107
PID 3252 wrote to memory of 1944	3252	Kiikpnmj.exe	108
PID 3252 wrote to memory of 1944	3252	Kiikpnmj.exe	108
PID 3252 wrote to memory of 1944	3252	Kiikpnmj.exe	108
PID 1944 wrote to memory of 3176	1944	Klggli32.exe	109
PID 1944 wrote to memory of 3176	1944	Klggli32.exe	109
PID 1944 wrote to memory of 3176	1944	Klggli32.exe	109
PID 3176 wrote to memory of 944	3176	Kofdhd32.exe	110
PID 3176 wrote to memory of 944	3176	Kofdhd32.exe	110
PID 3176 wrote to memory of 944	3176	Kofdhd32.exe	110
PID 944 wrote to memory of 4232	944	Kadpdp32.exe	111

C:\Users\Admin\AppData\Local\Temp\a7f9d391fb69e9a0e6dc8d771e5e15f0N.exe
"C:\Users\Admin\AppData\Local\Temp\a7f9d391fb69e9a0e6dc8d771e5e15f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\SysWOW64\Ieojgc32.exe
  C:\Windows\system32\Ieojgc32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\Iojkeh32.exe
    C:\Windows\system32\Iojkeh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\SysWOW64\Ibgdlg32.exe
      C:\Windows\system32\Ibgdlg32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        67⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        69⤵
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2044
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3884
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        84⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        90⤵
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6224
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        93⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:6424
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6464
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6504
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        101⤵
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:6664
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        104⤵
        Drops file in System32 directory
        
        PID:6704
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:6784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6784 -s 412
        107⤵
        Program crash
        
        PID:6928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6784 -ip 6784
1⤵
PID:6860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3980,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:6984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ibgdlg32.exe

Filesize
1.2MB

MD5
f8164fc6cd1592c1d00ac3582bd7a4f9

SHA1
954ba118f574f31168d7a6e80eddc9edce4ddb29

SHA256
d14271b4468bd77a8463b62dd21c24de30b4b01c4b9e68b60e8c73899115d3a3

SHA512
bfbd2827d117b3d4f868d88ffaf49354d9439b6848697f317667ba196f4806bdb931462e8b6501bd7f067b49cdd47e80563e50ec32daa027dc078015a3bebc75

Download Submit
C:\Windows\SysWOW64\Ieojgc32.exe

Filesize
1.2MB

MD5
198ec3cb2fd72ea9730ec6e7ed5d48d1

SHA1
5372c1d2e56a2d54812c16a243f6ae9357c61417

SHA256
7d990176998552091025b864c1d114d20b295bdb051077de1e6f761cd53cee3d

SHA512
527d49383c815e5110f4a3bfe5e5213487f78e26583cfea7877bfe66ab937e67dd4234953a66f85d81074743e6aa83bf428f5d617837c7da47d736ad627d45be

Download Submit
C:\Windows\SysWOW64\Iojkeh32.exe

Filesize
1.2MB

MD5
9b75618b899d16bc111a78a5a6b11715

SHA1
2d6a601cb674c851efdc509af450e77340c9f4e9

SHA256
98515efc4bb6f2ef0c2564a1ba7ee0e3d85836a9af01e624ff920598917684fa

SHA512
67f5831f5e713b86564e6ecbe6953b7eb64562cb735cfe56e906eaa9ef63ba52a521c3234dd87a8d0a8080ed3025a4f08cc20909dc4479024a13eabb5cffb11b

Download Submit
C:\Windows\SysWOW64\Jbepme32.exe

Filesize
1.2MB

MD5
cb48ee6de7559ef550568f8f3b124fc5

SHA1
480cd891b1122e120a92ea57d099417b01920c5d

SHA256
40b5ad39761d769df6c2b74c7aea6f24d22a5c789d79be197347672c3d574e95

SHA512
7753dd4aaef2f1b2d3e8179d34365e6a27fcbb8671c8ebc4231c2a39f396c5ba6d5d2b9d8ad5d4507f61db5fb073d8e876358f40c2bfed4818b41c54bafe4973

Download Submit
C:\Windows\SysWOW64\Joekag32.exe

Filesize
1.2MB

MD5
84ff625a8dd60a76ccaa97ab160bd561

SHA1
888867e89570150a54f50b90412436f6f21a9348

SHA256
51c6cb7dba0f7529d80c63fa749b7f6f4e0e7bb7b7bcd90f9774bb356820443f

SHA512
0b3556731e50609d5f121289abfbfc2e109b534856f6e2f0e6d59f9c7ad91c9959f00744b5696a21bee81707f56036610b887752400bb04e9db71128fb206a7b

Download Submit
C:\Windows\SysWOW64\Joqafgni.exe

Filesize
1.2MB

MD5
b1f007866e9aadaabb02af5bf6a99f69

SHA1
564af6530267b4d479c226fafdb3e7ea828b76df

SHA256
08c35f291813dd3a26797812c2709bebdd733b592b2796dca9be98f1e2088576

SHA512
f26292546701f331e7f140d67170e0bbf65c38dc5229c27763b0cf645c07b06fe869af1754ddca3049d16d57337aca7557b44ee165f9543ea640cf9c654df248

Download Submit
C:\Windows\SysWOW64\Jpegkj32.exe

Filesize
1.2MB

MD5
db7ab62ccd1a700f00fb9ca79bb97874

SHA1
f949157693a56fadaed22bce562f151989bd264f

SHA256
f5f925e4a61be004008a01c2b32103acc3d8fc1311199f76c5006b172d5e1b5f

SHA512
36cb71bd795566a8ba34b4a5e4493b1148e29e80fe80baf02699365e51bd1ea8933e28e7314c078889f616d9f06e9fe208f8ef689f8596b504bcc00402c7f766

Download Submit
C:\Windows\SysWOW64\Jpgdai32.exe

Filesize
1.2MB

MD5
09e95f3c73981309ffef7db03076c840

SHA1
3fd41c520679d716e5ee54b82976972ec7d23489

SHA256
b23f7c4132b232bee0df8103de5f4ea840facd5eb241e2d8e927a85419ed20cf

SHA512
448ab0640c1d9378a9adcf9d5a8a6352e10391ad2dd2782f0dc589456001962c782ba8d01085ad1a50ae5feb9f6b2be9c6beb5cdfe800062701d5bf8aee460f2

Download Submit
C:\Windows\SysWOW64\Kabcopmg.exe

Filesize
1.2MB

MD5
41bda59ec671e5e1ba11ad6dc0b5ce1f

SHA1
c29789b3bc401e1fda6c8b30f097779704465e2d

SHA256
02b9e13b3fc8aee51c672ab1e9d37a258d602b856bec0bbc756ec9f73a0aa9f8

SHA512
17a293bdf992af48812c97c8fbdd238e516678da056a605a297b5a8f346f7e8e6d3f335f518ffcb4dbde43df57685d4c0cc46d8c09e29c86ed70e6216fedb0a9

Download Submit
C:\Windows\SysWOW64\Kadpdp32.exe

Filesize
1.2MB

MD5
b124e0df2c0c03f5a040f23e9db7f059

SHA1
f869f91a972a62ae149a136d5adf90c5ab6962f6

SHA256
f8820ee795620dd1e39341b02c9fdb2b8b01ae4d2a8baafe041f04be97e7abfc

SHA512
986621b7d7915e6295ee505ad82fdde249d088b6a02ed1497849137b3ae7f894fd9aad652dc97012a8bbeeadee68b9e1057334d56f9c1ae242e171f2179207d5

Download Submit
C:\Windows\SysWOW64\Kamjda32.exe

Filesize
1.2MB

MD5
b07530c6850b60d641f3ef8afc07e4b3

SHA1
812c4b6e56efea32ea6f334ac9917b92210e0acd

SHA256
5e152ad93c9a941eaa6b14206b055e306de1b5362b24f59d2c723c7614351d78

SHA512
2c190cca3399e768c4bcb5a1be1a4edfcdc2b2ec9d7316d020de22e7298a8c98d2e3384474494416024ac98e8039449928de9b3fe46f80d2cae008068f6cba0b

Download Submit
C:\Windows\SysWOW64\Kapfiqoj.exe

Filesize
1.2MB

MD5
659a4aa59e1f75f9c628e1a64bbbc361

SHA1
51880f6fe10a36d8d98e692b0aefb41507b2fa58

SHA256
28bdbf2794dccff11cd8a2e585b5bd77b31f5bdfaafc0e21887ff6feee155a5d

SHA512
f76b04bb51657e34019f363f76621dc036ac56bf1aff12539439b45d04eecb68145a872d3d9dd179bb7219830a71fefea5fbe0be6ec4eb686c49424065b5e113

Download Submit
C:\Windows\SysWOW64\Kbhmbdle.exe

Filesize
1.2MB

MD5
cccec5b321a59f5141b5cf914f72b08e

SHA1
c47a2deb3089af33efcbf1e5839383aff47dcb60

SHA256
dfb611d358eeb9a24ba10f28b5d16e34fef21000b1f2dc82f798d583a440f636

SHA512
b517f06fa01f6690f9b82aeee3e8b6c6c95793eaed2b1c257eee76db6f28c71f30131a6ce70be9568be6ee2fee0e03b3f93e4aa960f4343936c1aaa7568e8714

Download Submit
C:\Windows\SysWOW64\Khbiello.exe

Filesize
1.2MB

MD5
eaecbec95d48dcf2e85ecad71918d47a

SHA1
20a8ae54de5e737952f85bd195b53850ac23d24e

SHA256
ddc0bb29a6b9c74a72e962891ace4541aa8cbf0f4017f251eb58352842146f32

SHA512
0655bd63a9810128b0c76cd273451f72944a28e6601c1eb19e26279e929dec473f3447d5d32be9c29d5358a5b22b4e20458be2d018cfa011badbffbb2cf1ef50

Download Submit
C:\Windows\SysWOW64\Khgbqkhj.exe

Filesize
1.2MB

MD5
3c3339fd26aaaf9af5686277956cce2d

SHA1
03bdb70681630a277620f3e8364fedc3e620d983

SHA256
71958dd2677deb98f248e03017a534d39f128ca6c544a1e0009b61e66193cc92

SHA512
f4c7f603fe5b36c46606077e6735a6f4bc85be1317577be0178616e29a236359eb9d298ec41e906b49d9891a4f15afb5087895ea2920ba18acc402c444f5f729

Download Submit
C:\Windows\SysWOW64\Kifojnol.exe

Filesize
1.2MB

MD5
d88c830a6495f9be8876eb0db9e5be41

SHA1
8e633ba6d155a251c3d035971febb4b6f2e5fb43

SHA256
ac1bcc069f52e4e9ac23130421b9722de27e58fb6b295e603dcf7c7369f7bdf4

SHA512
d86c7ad4be5c7b124c2f1615e57b19d01da7d6df545400fc7f65aa5958310530e6ac03fc1c58d65f23f8bd5622defe8d6a9fcea6e5bd7123e3bac873a092af0b

Download Submit
C:\Windows\SysWOW64\Kiikpnmj.exe

Filesize
1.2MB

MD5
8c473a70facc8613995b27bcd6f9d023

SHA1
72092bd1c52ec7bb0ea0fb7eb5d99c862d2accb6

SHA256
18f796f09c9ca3079789b712bbb855d8b615906e436b80b1f22d7f459c7c7a74

SHA512
edc308ba4e3ea6df77a34f753ce8b459a7d6ca91d8a383f57ea774a45f092b7083ff1ca431249044647063c11626a39d1349be19e7b655026d9938e586391c50

Download Submit
C:\Windows\SysWOW64\Klggli32.exe

Filesize
1.2MB

MD5
90ff890a0b8a630db6bbf94729877342

SHA1
4cca693315d0e72a7a597535341dcf0176ac15a3

SHA256
3d4b5a0a0f023d6299f05fd1375207b636c6c43f17e6fc620a41ed5a120ed144

SHA512
deea5c1cb41fdcdb171e573c94c62761b575a538653ec9f9da41f786ebef4ffea4c42dbb475718eb5349a931525089880355a8c123d4a3115113e25fab54c477

Download Submit
C:\Windows\SysWOW64\Kofdhd32.exe

Filesize
1.2MB

MD5
48fa862d9d608fa88d26a31cdb186f4b

SHA1
67cfa77b0ff27662427f106c6cf23a10253c2449

SHA256
184cc9a8c9ae5b5a034b079652ddc7669fd65f0d89c14d463768d25d914eae1e

SHA512
fbb13d6ea596bb4e61946083ec6d46fe707ce5b9f3431ec5d2a800d9923a724f9c69f78fa8f5c4d2a5fd1bbccfb460f739ac1c85eaa275afd66a0af846d7b1ff

Download Submit
C:\Windows\SysWOW64\Kplmliko.exe

Filesize
1.2MB

MD5
7531c46fbe73cb74a5d1ddaf185c48a4

SHA1
035b85eaff0a769ec8fa9ab9f03008d16977b7d9

SHA256
f482206eb2989bb38e1ccf4fc3f43e59ebfe01a04a1f9600dcf0cd3b13f3e98e

SHA512
406d9517036665dccf4205fe6649a947c665483da8eb92964c6f9f8d110f91a41241f1b573e027be1eefefc1eb4d1b484be945f776b1113e4812c9b734dcffc9

Download Submit
C:\Windows\SysWOW64\Kpnjah32.exe

Filesize
1.2MB

MD5
692eec357ea6dafc6f4a24d097c492ab

SHA1
b97f3eaa0962e154780f2d61b71a34e605c6b720

SHA256
9ef1643bd207d6d0368b116a1885d419768b5818b9ec99cb30b5a36cf82c3d21

SHA512
de808dba31dc8fc61291299a715f1a4e32ac3039947f5819ec7b112021217b11f25021bc2d2dbc2ffd9af06042895ca404522cb562eb2b7143a8ad81cf97cb92

Download Submit
C:\Windows\SysWOW64\Lafmjp32.exe

Filesize
1.2MB

MD5
f8d11e5d81b86829b4aade06f9120dd3

SHA1
b2e98c0c10e9fdda82cf3a0101533e08a0241ca7

SHA256
fb9543f73223dd852828b495dac7581eb6da00c4e3e6dd20a9ad091f758c333a

SHA512
3599d40e4e6f53d221710664f9de5dc824283814f7efb359770850d185d24ec72dd13bd0962233668ad9cfb088218a86ff1ee7f05c38a53c271b25d03c5ae6d6

Download Submit
C:\Windows\SysWOW64\Laiipofp.exe

Filesize
1.2MB

MD5
e03778d16756cf09afb4f0f77231b991

SHA1
ac50de9ede4d6fa55896656707e61f4a13b7705b

SHA256
efc9acb4c6c6a44b52f19149b05d78a3fe3c674f032c3c81dda988f22b984424

SHA512
e5b5a895321b4373d3847188df29f4f13781f4e0da9144be6085ea48127d58f19c0ff0377a9bd27e490276cb10d1e32bd8ba36d89daa3c25d08fa64793784825

Download Submit
C:\Windows\SysWOW64\Lakfeodm.exe

Filesize
1.2MB

MD5
9c72922360b89bd5ea0e1f4e7da54a7d

SHA1
f07c07d7109aa01b2dd0c435cd7fd07e40b77cce

SHA256
b1249ebcf30e111d3716171d569237ffc61044d787301c5991cf36fdf77e4bd2

SHA512
b652120dd60c881a1ef1045b795e2a195c9694184783aba369973fbca7ac4b5418a484e1c76dbb5c2ee2baab42df6321ec66c3db46132e7096732d4ee177652b

Download Submit
C:\Windows\SysWOW64\Lhnhajba.exe

Filesize
1.2MB

MD5
5cee33de7bab782154cf2bc66ee02e29

SHA1
ed2c451cc2df747e5985c5e8c25378856432fb2c

SHA256
0289144d65be1aec7a73c08f03685ee94b856e64ede6d359aebdc03d15dddbc7

SHA512
08d7797870d4701aafd6d9103694b4165a6edf426c69def4535ff7e0e6e6ac8f90226b3d2beb27f4a1259bbaa2c7c3d38a319746dbda450ee5109a252af8c96c

Download Submit
C:\Windows\SysWOW64\Lindkm32.exe

Filesize
1.2MB

MD5
8aea1d608f9d8c0197ed2163b09de320

SHA1
ccd2ff47634cc56b96801a71b9d68e93f2c4b816

SHA256
4ac40e1231321fa13e327c19f82953f5cdbf580d0613ecf3e1cff066c687c805

SHA512
eadc23ff998d50836e2ca7b4c22e453b7021a1ac8c6d43d247d0190af03b5b33f712fabdee147948652a0dcfb583ae544b7eb80497f0ab27990c5c7a8e6f22b0

Download Submit
C:\Windows\SysWOW64\Ljbnfleo.exe

Filesize
1.2MB

MD5
b834e7ce9323e768b1e5da129a29421e

SHA1
b42369972541ac1ea4280396365300d8ce62d726

SHA256
a6fe1b078413f14a01b2182091e4ed505318004d0726695a26c0e4114e7e1ccf

SHA512
3ecc3997e31fbccaf2d8e108024f9fe4f3cbc70a0fdc009bfa769b224b31a58cb6f7eb4228e3771ecbfadf886c3d866a0c61b135da1c0da5c23ecf4a551cfee8

Download Submit
C:\Windows\SysWOW64\Ljpaqmgb.exe

Filesize
1.2MB

MD5
a46cd0409bc8a9ca49426ddff6ea6d7e

SHA1
bb455e94f0f994fea86f1a995f7c97bd816bcb3d

SHA256
61fbd9068cdd37874e594a6eefd1e63d17194761d2c073a7031125bda2bb0b52

SHA512
8c2a7fe248e226b8bac49d87b886b02659104dd6b1ccd65abc3fdff86fe85877b21c5e82b43ed0e11b988cf8cfdc48b03ca1adb59f70392db654f358946acf94

Download Submit
C:\Windows\SysWOW64\Llnnmhfe.exe

Filesize
1.2MB

MD5
ba2ea20c6aa55b26ad01c0e57ce3e28a

SHA1
657330c1d5f59014231706d438293b8d6f2e06c2

SHA256
4971271281b8562ac258f8e9669962b9b6a6b47bca0b970ac535a405bf3320f2

SHA512
fa748792965d6853373872d824170046627bcbe9d97782e1a18b5abc71d7baadc24c6b491739bbf3f5574e5102876e5c42a1bf6645560242e5bf0e4d4d5cfd49

Download Submit
C:\Windows\SysWOW64\Lomjicei.exe

Filesize
1.2MB

MD5
f6fd4cb42e701a662dc9b106d89a98d5

SHA1
2ad3502059f220b84eba6bb77516dc4958a19387

SHA256
1085e2e518f441d199fdf37ba0b48d9bfb1918e437d286c9e52ed071716b70ee

SHA512
4dd5172322b37bcc46438d68dfaae1a14abb77e39c97153ab9ebc50ea8e40605343797cd8cffb6b38b8a73aed5a18de3009005b9136e6d643e6e4b7fca3dec16

Download Submit
C:\Windows\SysWOW64\Lpepbgbd.exe

Filesize
1.2MB

MD5
08df47ccc46ac90482c7fe1d4d549fd7

SHA1
a56b60a80512c78e29179f88ba3f66bd5a014564

SHA256
18976334c621716a18e5c86293c691b9999b4c4640c9f56ca16fb63c0d2fb144

SHA512
55e3cfaa174faa94fbf8805703c94dd2c59caaf44c05a8abee9191581374f6212c3396782387e8fb262191d231810ed86eb5bb9e13f7b069f835354844141779

Download Submit
C:\Windows\SysWOW64\Lpgmhg32.exe

Filesize
1.2MB

MD5
0c6f8023581c4366392315df14cf19af

SHA1
1d5c8d376369a5fbb8620da32d358682915d4c5c

SHA256
7381c1fc1d943db61ba3becec5c8499e280d2312fc42c610fd3ae9d1bc3d0539

SHA512
834ccaebe303c2c987d41ecc5eb8f0b60e693c5b8f5673917782df2496b88e6111800a7d517e7f99a7e3bbc2f45dadfeaacc21ed0a8c1bd154e651c592823f54

Download Submit
C:\Windows\SysWOW64\Ngcglo32.dll

Filesize
7KB

MD5
bcf1b5072d55b14a0fcbb8acf87d05ba

SHA1
ef938a668bc27e38a555197ca38f91e412acb421

SHA256
d70838e16155f9023123040b882b41c4812d94cc8c11f113d30f14d75fa9b114

SHA512
6971d4f5897e2e9012fb156d6ee083a63c64f814f586e85718321a6efeaaab85e122e60b1f27188617febc02907443f1b0b6d8650186536f451a7078ee673c63

Download Submit
memory/452-317-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/516-140-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/764-261-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/944-181-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/948-94-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1060-76-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1112-204-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1116-93-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1116-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1264-229-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1604-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1604-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1808-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1808-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1928-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1928-129-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1944-165-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2040-305-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2044-491-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2284-509-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2528-293-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2976-323-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2988-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2988-139-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3048-212-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3116-599-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3140-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3176-173-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3204-149-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3252-157-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3384-485-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3436-311-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3604-245-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3608-148-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3608-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3692-497-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3884-539-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4064-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4152-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4152-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4156-196-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4176-69-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4232-189-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4236-275-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4240-269-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4272-113-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4288-521-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4384-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4384-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4464-237-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4476-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4548-503-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4600-253-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4680-130-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4740-121-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4840-85-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4940-287-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4952-557-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5080-221-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5128-329-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5156-515-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5168-335-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5208-341-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5248-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5288-353-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5296-527-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5328-359-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5368-365-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5376-533-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5408-371-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5448-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5496-383-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5524-545-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5528-389-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5568-395-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5592-551-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5608-401-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5648-407-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5688-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5724-563-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5728-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5768-425-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5800-569-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5808-431-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5848-437-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5880-575-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5888-443-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5928-449-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5952-581-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5968-455-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6008-461-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6016-587-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6048-467-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6088-473-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6096-593-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6128-479-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads