a3500dc2c950e5337fd5acacecc1082204ef738d0bf2fce499cefdaa8d8f1895

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9558ca3594280e3588b80b6f9995990N.exe
Size

56KB
MD5

c9558ca3594280e3588b80b6f9995990
SHA1

a43f03acaae6741ab4383002db31f7e300eabe3d
SHA256

a3500dc2c950e5337fd5acacecc1082204ef738d0bf2fce499cefdaa8d8f1895
SHA512

963de41cedbb91aa178d97e5101f86a22ed9e38a53aeaf1f6afe9ca48be2ec4268ff261298f3ac428e645cfbc50e4f202a3a988dbc14b107422bcae6c769d7f1
SSDEEP

1536:+CdtzjdnR+ltenxKIrgT/6cGQ/F1WF6buo:fddFMtenxKIcT/6c/AF6bv

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loopdmpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhbciqln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdngpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdbnmbhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkcmjlio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lehhqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkholi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcabej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkholi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkklbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jejbhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbbmmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lamlphoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbebilli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnnianm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlefjnno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qihoak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeolckne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaiij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkcmjlio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnjbdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Namegfql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlefjnno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbnbemf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okolfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkoemhao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfpghccm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfppoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkocol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbbnbemf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndpjnq32.exe

Executes dropped EXE 64 IoCs

pid	Process
4940	Jejbhk32.exe
1888	Jhhodg32.exe
3692	Jbncbpqd.exe
1224	Jdopjh32.exe
2628	Jnedgq32.exe
2544	Jeolckne.exe
1756	Jhmhpfmi.exe
1208	Jbbmmo32.exe
1152	Jeaiij32.exe
4548	Jlkafdco.exe
4380	Kbeibo32.exe
4400	Khabke32.exe
3796	Kbgfhnhi.exe
3724	Kefbdjgm.exe
1956	Khdoqefq.exe
4544	Klpjad32.exe
4924	Kdkoef32.exe
3204	Klbgfc32.exe
3368	Kopcbo32.exe
1356	Kblpcndd.exe
4464	Kejloi32.exe
1720	Khihld32.exe
4360	Lkiamp32.exe
1664	Loemnnhe.exe
3088	Ldbefe32.exe
1672	Lklnconj.exe
3392	Leabphmp.exe
3348	Lknjhokg.exe
1516	Lbebilli.exe
1984	Lahbei32.exe
2156	Lhbkac32.exe
2248	Lolcnman.exe
4580	Llpchaqg.exe
1604	Loopdmpk.exe
3680	Lamlphoo.exe
3792	Lehhqg32.exe
696	Moalil32.exe
4200	Mdnebc32.exe
2028	Mkgmoncl.exe
3688	Mociol32.exe
5000	Mdpagc32.exe
3560	Mhknhabf.exe
3196	Mcabej32.exe
4280	Madbagif.exe
4344	Mdbnmbhj.exe
4408	Mohbjkgp.exe
4468	Mddkbbfg.exe
3708	Mkocol32.exe
4404	Nhbciqln.exe
1020	Nchhfild.exe
4976	Ndidna32.exe
4292	Nkcmjlio.exe
4420	Namegfql.exe
3952	Nhgmcp32.exe
2256	Noaeqjpe.exe
3344	Ndnnianm.exe
1856	Nlefjnno.exe
2692	Nocbfjmc.exe
2912	Nbbnbemf.exe
2340	Nfnjbdep.exe
1200	Ndpjnq32.exe
2960	Nlgbon32.exe
3268	Nofoki32.exe
5168	Ncaklhdi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pfppoa32.exe	Pcbdcf32.exe
File created	C:\Windows\SysWOW64\Pfbmdabh.exe	Pcdqhecd.exe
File created	C:\Windows\SysWOW64\Qfjcep32.exe	Qckfid32.exe
File opened for modification	C:\Windows\SysWOW64\Amfhgj32.exe	Aeopfl32.exe
File created	C:\Windows\SysWOW64\Pceijm32.dll	Jbbmmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mhknhabf.exe	Mdpagc32.exe
File opened for modification	C:\Windows\SysWOW64\Nocbfjmc.exe	Nlefjnno.exe
File created	C:\Windows\SysWOW64\Lolcnman.exe	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Okolfj32.exe	Ohqpjo32.exe
File created	C:\Windows\SysWOW64\Obpkcc32.exe	Okfbgiij.exe
File opened for modification	C:\Windows\SysWOW64\Pfppoa32.exe	Pcbdcf32.exe
File opened for modification	C:\Windows\SysWOW64\Aealll32.exe	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Jdopjh32.exe	Jbncbpqd.exe
File created	C:\Windows\SysWOW64\Dcmnee32.dll	Jeaiij32.exe
File opened for modification	C:\Windows\SysWOW64\Kbgfhnhi.exe	Khabke32.exe
File created	C:\Windows\SysWOW64\Ekheml32.dll	Khabke32.exe
File created	C:\Windows\SysWOW64\Najlgpeb.dll	Leabphmp.exe
File created	C:\Windows\SysWOW64\Lchfjc32.dll	Oohkai32.exe
File created	C:\Windows\SysWOW64\Namegfql.exe	Nkcmjlio.exe
File opened for modification	C:\Windows\SysWOW64\Odedipge.exe	Obfhmd32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoagk32.exe	Pfeijqqe.exe
File opened for modification	C:\Windows\SysWOW64\Aeopfl32.exe	Abpcja32.exe
File created	C:\Windows\SysWOW64\Khihld32.exe	Kejloi32.exe
File created	C:\Windows\SysWOW64\Ehilac32.dll	Kejloi32.exe
File opened for modification	C:\Windows\SysWOW64\Lbebilli.exe	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Odedipge.exe	Obfhmd32.exe
File created	C:\Windows\SysWOW64\Ghnkilod.dll	Okfbgiij.exe
File opened for modification	C:\Windows\SysWOW64\Lhbkac32.exe	Lahbei32.exe
File created	C:\Windows\SysWOW64\Bdhfnche.dll	Nlefjnno.exe
File opened for modification	C:\Windows\SysWOW64\Ncaklhdi.exe	Nofoki32.exe
File created	C:\Windows\SysWOW64\Odlpkg32.dll	Pbimjb32.exe
File created	C:\Windows\SysWOW64\Fcnhog32.dll	Khihld32.exe
File opened for modification	C:\Windows\SysWOW64\Lahbei32.exe	Lbebilli.exe
File opened for modification	C:\Windows\SysWOW64\Namegfql.exe	Nkcmjlio.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmjlio.exe	Ndidna32.exe
File created	C:\Windows\SysWOW64\Gcdfnq32.dll	Ohqpjo32.exe
File created	C:\Windows\SysWOW64\Qihoak32.exe	Qfjcep32.exe
File created	C:\Windows\SysWOW64\Gckjdhni.dll	Aeopfl32.exe
File created	C:\Windows\SysWOW64\Gdqeooaa.dll	Jeolckne.exe
File created	C:\Windows\SysWOW64\Mjlhjjnc.dll	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Loopdmpk.exe	Llpchaqg.exe
File created	C:\Windows\SysWOW64\Ncloojfj.dll	Pkholi32.exe
File created	C:\Windows\SysWOW64\Nhbciqln.exe	Mkocol32.exe
File opened for modification	C:\Windows\SysWOW64\Obfhmd32.exe	Oohkai32.exe
File opened for modification	C:\Windows\SysWOW64\Pdngpo32.exe	Obpkcc32.exe
File created	C:\Windows\SysWOW64\Fhmeii32.dll	Oljoen32.exe
File created	C:\Windows\SysWOW64\Hfqgoo32.dll	Qpbgnecp.exe
File created	C:\Windows\SysWOW64\Kbeibo32.exe	Jlkafdco.exe
File created	C:\Windows\SysWOW64\Lknjhokg.exe	Leabphmp.exe
File created	C:\Windows\SysWOW64\Eoggpbpn.dll	Mdnebc32.exe
File created	C:\Windows\SysWOW64\Fkekkccb.dll	Mdbnmbhj.exe
File opened for modification	C:\Windows\SysWOW64\Oooaah32.exe	Omaeem32.exe
File opened for modification	C:\Windows\SysWOW64\Qpbgnecp.exe	Qihoak32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpagc32.exe	Mociol32.exe
File created	C:\Windows\SysWOW64\Bebggf32.dll	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Khabke32.exe	Kbeibo32.exe
File created	C:\Windows\SysWOW64\Dhfhohgp.dll	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Lhbkac32.exe	Lahbei32.exe
File created	C:\Windows\SysWOW64\Ofaqkhem.dll	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Qekjhmdj.dll	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Eilbckfb.dll	Lkiamp32.exe
File created	C:\Windows\SysWOW64\Madbagif.exe	Mcabej32.exe
File opened for modification	C:\Windows\SysWOW64\Jnedgq32.exe	Jdopjh32.exe
File created	C:\Windows\SysWOW64\Caekaaoh.dll	Madbagif.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdnebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odbgdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piaiqlak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9558ca3594280e3588b80b6f9995990N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acppddig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbbmmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noaeqjpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbnbemf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofijnbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfbgiij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjcep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcabej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofoki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdopjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkgmoncl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpchaqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfppoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqhecd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mddkbbfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oohkai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkklbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loemnnhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Namegfql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeibo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mociol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbmdabh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jejbhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odedipge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjmdocp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbncbpqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kopcbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kejloi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnnianm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefjnno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkdohg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgfhnhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loopdmpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madbagif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhbciqln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nchhfild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oljoen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdngpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbgnecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklnconj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbebilli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdpagc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdbnmbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlgbon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncaklhdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefbdjgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnedgq32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaqkhem.dll"	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Madbagif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpijjbj.dll"	Odbgdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkidlkmq.dll"	Ohhfknjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqgoo32.dll"	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlefjnno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmijcp32.dll"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekheml32.dll"	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khdoqefq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lggfcd32.dll"	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mohbjkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbnjfh32.dll"	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocfdgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honmnc32.dll"	Pdngpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhinoa32.dll"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abpcja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngihj32.dll"	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloojfj.dll"	Pkholi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlpkg32.dll"	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmnibme.dll"	Nhbciqln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oohkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haafdi32.dll"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfhohgp.dll"	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdklc32.dll"	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okolfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoglp32.dll"	Abpcja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbooabbb.dll"	Qmanljfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abpcja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboleq32.dll"	Klpjad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifiamoa.dll"	Mohbjkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkacdofa.dll"	Oloipmfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohhfknjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkholi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balfdi32.dll"	Jejbhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmnee32.dll"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acicqigg.dll"	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodipp32.dll"	Jnedgq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 4940	3960	c9558ca3594280e3588b80b6f9995990N.exe	91
PID 3960 wrote to memory of 4940	3960	c9558ca3594280e3588b80b6f9995990N.exe	91
PID 3960 wrote to memory of 4940	3960	c9558ca3594280e3588b80b6f9995990N.exe	91
PID 4940 wrote to memory of 1888	4940	Jejbhk32.exe	92
PID 4940 wrote to memory of 1888	4940	Jejbhk32.exe	92
PID 4940 wrote to memory of 1888	4940	Jejbhk32.exe	92
PID 1888 wrote to memory of 3692	1888	Jhhodg32.exe	93
PID 1888 wrote to memory of 3692	1888	Jhhodg32.exe	93
PID 1888 wrote to memory of 3692	1888	Jhhodg32.exe	93
PID 3692 wrote to memory of 1224	3692	Jbncbpqd.exe	94
PID 3692 wrote to memory of 1224	3692	Jbncbpqd.exe	94
PID 3692 wrote to memory of 1224	3692	Jbncbpqd.exe	94
PID 1224 wrote to memory of 2628	1224	Jdopjh32.exe	95
PID 1224 wrote to memory of 2628	1224	Jdopjh32.exe	95
PID 1224 wrote to memory of 2628	1224	Jdopjh32.exe	95
PID 2628 wrote to memory of 2544	2628	Jnedgq32.exe	96
PID 2628 wrote to memory of 2544	2628	Jnedgq32.exe	96
PID 2628 wrote to memory of 2544	2628	Jnedgq32.exe	96
PID 2544 wrote to memory of 1756	2544	Jeolckne.exe	97
PID 2544 wrote to memory of 1756	2544	Jeolckne.exe	97
PID 2544 wrote to memory of 1756	2544	Jeolckne.exe	97
PID 1756 wrote to memory of 1208	1756	Jhmhpfmi.exe	98
PID 1756 wrote to memory of 1208	1756	Jhmhpfmi.exe	98
PID 1756 wrote to memory of 1208	1756	Jhmhpfmi.exe	98
PID 1208 wrote to memory of 1152	1208	Jbbmmo32.exe	99
PID 1208 wrote to memory of 1152	1208	Jbbmmo32.exe	99
PID 1208 wrote to memory of 1152	1208	Jbbmmo32.exe	99
PID 1152 wrote to memory of 4548	1152	Jeaiij32.exe	101
PID 1152 wrote to memory of 4548	1152	Jeaiij32.exe	101
PID 1152 wrote to memory of 4548	1152	Jeaiij32.exe	101
PID 4548 wrote to memory of 4380	4548	Jlkafdco.exe	102
PID 4548 wrote to memory of 4380	4548	Jlkafdco.exe	102
PID 4548 wrote to memory of 4380	4548	Jlkafdco.exe	102
PID 4380 wrote to memory of 4400	4380	Kbeibo32.exe	103
PID 4380 wrote to memory of 4400	4380	Kbeibo32.exe	103
PID 4380 wrote to memory of 4400	4380	Kbeibo32.exe	103
PID 4400 wrote to memory of 3796	4400	Khabke32.exe	104
PID 4400 wrote to memory of 3796	4400	Khabke32.exe	104
PID 4400 wrote to memory of 3796	4400	Khabke32.exe	104
PID 3796 wrote to memory of 3724	3796	Kbgfhnhi.exe	105
PID 3796 wrote to memory of 3724	3796	Kbgfhnhi.exe	105
PID 3796 wrote to memory of 3724	3796	Kbgfhnhi.exe	105
PID 3724 wrote to memory of 1956	3724	Kefbdjgm.exe	106
PID 3724 wrote to memory of 1956	3724	Kefbdjgm.exe	106
PID 3724 wrote to memory of 1956	3724	Kefbdjgm.exe	106
PID 1956 wrote to memory of 4544	1956	Khdoqefq.exe	107
PID 1956 wrote to memory of 4544	1956	Khdoqefq.exe	107
PID 1956 wrote to memory of 4544	1956	Khdoqefq.exe	107
PID 4544 wrote to memory of 4924	4544	Klpjad32.exe	109
PID 4544 wrote to memory of 4924	4544	Klpjad32.exe	109
PID 4544 wrote to memory of 4924	4544	Klpjad32.exe	109
PID 4924 wrote to memory of 3204	4924	Kdkoef32.exe	110
PID 4924 wrote to memory of 3204	4924	Kdkoef32.exe	110
PID 4924 wrote to memory of 3204	4924	Kdkoef32.exe	110
PID 3204 wrote to memory of 3368	3204	Klbgfc32.exe	111
PID 3204 wrote to memory of 3368	3204	Klbgfc32.exe	111
PID 3204 wrote to memory of 3368	3204	Klbgfc32.exe	111
PID 3368 wrote to memory of 1356	3368	Kopcbo32.exe	112
PID 3368 wrote to memory of 1356	3368	Kopcbo32.exe	112
PID 3368 wrote to memory of 1356	3368	Kopcbo32.exe	112
PID 1356 wrote to memory of 4464	1356	Kblpcndd.exe	113
PID 1356 wrote to memory of 4464	1356	Kblpcndd.exe	113
PID 1356 wrote to memory of 4464	1356	Kblpcndd.exe	113
PID 4464 wrote to memory of 1720	4464	Kejloi32.exe	114

C:\Users\Admin\AppData\Local\Temp\c9558ca3594280e3588b80b6f9995990N.exe
"C:\Users\Admin\AppData\Local\Temp\c9558ca3594280e3588b80b6f9995990N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Windows\SysWOW64\Jejbhk32.exe
  C:\Windows\system32\Jejbhk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\Jhhodg32.exe
    C:\Windows\system32\Jhhodg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\SysWOW64\Jbncbpqd.exe
      C:\Windows\system32\Jbncbpqd.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
      - C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Jbbmmo32.exe
        
        C:\Windows\system32\Jbbmmo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3348
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\Llpchaqg.exe
        
        C:\Windows\system32\Llpchaqg.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\Loopdmpk.exe
        
        C:\Windows\system32\Loopdmpk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\Lamlphoo.exe
        
        C:\Windows\system32\Lamlphoo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\SysWOW64\Lehhqg32.exe
        
        C:\Windows\system32\Lehhqg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\Moalil32.exe
        
        C:\Windows\system32\Moalil32.exe
        38⤵
        Executes dropped EXE
        
        PID:696
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\Mkgmoncl.exe
        
        C:\Windows\system32\Mkgmoncl.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Mhknhabf.exe
        
        C:\Windows\system32\Mhknhabf.exe
        43⤵
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Mohbjkgp.exe
        
        C:\Windows\system32\Mohbjkgp.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3708
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Nlefjnno.exe
        
        C:\Windows\system32\Nlefjnno.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Nbbnbemf.exe
        
        C:\Windows\system32\Nbbnbemf.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        70⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        72⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        75⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        76⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        78⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        79⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        81⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        86⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        91⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5832
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        97⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4108,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8
1⤵
PID:6148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbbmmo32.exe

Filesize
56KB

MD5
1d6d940ecfbc349a3d341e851a213159

SHA1
62aa92fbe178805f0b88808ae07cb8dfc7dd4fb7

SHA256
f4d794a3d44a0333d5fa888fcbb9ccb9fd8df6a69ecfaeabab314b92c14ccd70

SHA512
945a27fd4e5dc119dd8fe9cbf622316ac3e5b4fd72abe37534ba44fb41e7ba921bef4d9c0fdc081516752c359ec5fae410190bddc759622c0e4a661afbc23eaa

Download Submit
C:\Windows\SysWOW64\Jbncbpqd.exe

Filesize
56KB

MD5
453ccccd48cfce21d27697c2c66ca0a1

SHA1
c8c371cd2c0183e74fabcb4720bd8f664e1e6d8f

SHA256
29aeb86eef3bf434ed22c85d82387cba8a341efa37df26fb095a8a46c70fe60e

SHA512
dd4c0af29037962586b3d8b2235df2bb326a5991aec16bf824f83c603af68242bce92fcb90155208fcd603ef377af1e1cb51f52f97ebb79bb1098a000c449997

Download Submit
C:\Windows\SysWOW64\Jdopjh32.exe

Filesize
56KB

MD5
dc75a1983f60d84052ec6b1fd1e3b810

SHA1
741145624473d8c637827a87d39ced739bf129b8

SHA256
db3077f81faa6c65a111bba597f43e57445ae62ec5b218d50f77b8d11def9474

SHA512
8bdf3af690a1db642d209cc8d9aee9162534717c928fa44b768c5f7c3ca81f48d836193b01a97f22c791917a10dc7be286bdfafe196b34eb439c1997eb7f3851

Download Submit
C:\Windows\SysWOW64\Jeaiij32.exe

Filesize
56KB

MD5
6c766fd3f87cc0dc79841c8d7bc03c90

SHA1
ced3c0db8ef2bb4daa9779958ea2213bb7223e72

SHA256
bd31236c73c866f7a8de24a379a32f08561729f4711ee35ff09d9d7612527b90

SHA512
5eb5e3914d9609cdb72fc9552c04b704c9594767119d98217dd020cfef2adddf00673ddeae83a971ab7360020efcd981587a37572f0553266e74d356fe1c0d96

Download Submit
C:\Windows\SysWOW64\Jejbhk32.exe

Filesize
56KB

MD5
f4df04fb2fc4556ec5f010af117f2525

SHA1
b38b639827b82acb4dd5eb30bbbe7f90aa7fceff

SHA256
9020cd90855b5b06d7a680473ee93c99ec7df87a6842569db77e2fb883f0d3a8

SHA512
d95ba0f672a845c3983d0ff51b3f1f55590b29ef0c510ae4a1987cd996dc83841f2faf90b062e7d35cb4cc34644dacd608bd9e9477c7cb44e41d8b6a6b72283c

Download Submit
C:\Windows\SysWOW64\Jeolckne.exe

Filesize
56KB

MD5
36428b0e7883e77a2fbcde28332fb605

SHA1
5c5302cccee1e1695295f6cb76b1f37d826f4915

SHA256
1af8d22cfb9712e708d3bdf9de8f8b5e2672bb9594f53a91a705242fe211132c

SHA512
e675f71a646dc2c3eec15491ef04140e6668127fb38577408aaab9a62d4dcaa4ac2f78518fddf741aa3b879487293b406fba6d1c62ebb25a9ab9b37e6d59d2ba

Download Submit
C:\Windows\SysWOW64\Jhhodg32.exe

Filesize
56KB

MD5
dbf74e0b42d33bcaa357158e1cddab23

SHA1
16c9fc578fcb3a3510c56c8c318b0996a4de0f64

SHA256
323a343955035b4093ba34e7096a546f3e4b809f4fc178f5955cd90f73c70956

SHA512
065495969f672d6a9149b582332146da00dc7bcb2116b81a13ffb038c9580bd0d096f8a0a6b16b710559aa5762f3ccc9991f016ce584492eb600917085459973

Download Submit
C:\Windows\SysWOW64\Jhmhpfmi.exe

Filesize
56KB

MD5
7f8813f7698ad6651ede3ba05131f83a

SHA1
6b97e0de2fca050ecfc79565fb72ec652f0416b4

SHA256
c607fa6470e6100ec2cd13796d427e31c602fc07c287506b5166fd9e1f16a523

SHA512
6fc9aabbdbb00cf20f2701ad5c42c7d9451a6fbfdf993e64fc301af21114b1ef936eadea1a1af42bf965a9e96fa666938b2d0f115211ab4a3c9fd515146dc12c

Download Submit
C:\Windows\SysWOW64\Jlkafdco.exe

Filesize
56KB

MD5
5de78fbf565656fcbead3eb8fc919a84

SHA1
a05d12a91fcc9f65e7d371994bde5880f2e587e1

SHA256
93b6785466b1aaab326323d35d80ba4ccf44d904ec17939c0eb94de65e9b7182

SHA512
4df9e9096b0b31ce2a065f2ed5540d2c36b11bd59bfbd548f8223fd65ea69a5bba993da86a808383dec07505861b4c1955e9339495e17f3eb67347162be2dbec

Download Submit
C:\Windows\SysWOW64\Jnedgq32.exe

Filesize
56KB

MD5
81ceda18bd3e9203b7cf181b4bdcda83

SHA1
9e2da81aca0b51656921b34e7323052966c32d4c

SHA256
aa76a784e7e6b3ce14202f0a99b45228ff226cb78b3b4f5dab5759cbbe63c381

SHA512
1a8bd34edde826fa5043b4bfcf86cb294678d199f4cf4e47ab1b9e68edc2d5103d9e43473e2939e9797facc55c110218da902751742323fdc154d0980cfd95f7

Download Submit
C:\Windows\SysWOW64\Kbeibo32.exe

Filesize
56KB

MD5
956c8a2b1c46708a25592d025f3cdf06

SHA1
a020d0a5d15d0a034e0043fb94876001879117ce

SHA256
3b5c0a445e0ddf76bf46fa8e67caaefc2042751ff374439dd34935d60d19619b

SHA512
e14eba5432452a4813ccabfbdf42c0b4471a1527bd7ab3bc9cb621c52df9b5236fadcdfd1d53c7c516226ad727c6f9e6239fdf7e890148829fbb98c796fd0e17

Download Submit
C:\Windows\SysWOW64\Kbgfhnhi.exe

Filesize
56KB

MD5
d2b9fc8606dbccd5ce33138e5fc9ae03

SHA1
ed15c8eec1eaa7a3fe89280077117183db362a4a

SHA256
441970ded16e9a87168adffd50392e546b3420b4b9ce2185ce6ca48dfee64dfc

SHA512
ce06211359033211425c8bc8f9e195bfd06fdbff0408b8e05f51c743449627ef9fee67e980415d159b8f67f722419254ed676103fba53211ec0d08d8ee61034d

Download Submit
C:\Windows\SysWOW64\Kblpcndd.exe

Filesize
56KB

MD5
840c5bb75f7d792080c830fdcb2cdd6f

SHA1
0b87ad9e131d3dcf13b72d7191cb1002621e0c26

SHA256
151d6e3415a684749e89868cf58215a61a149653f706cfb41170441433b5a401

SHA512
ebba8a351badadec27bd82cd4f5dc159988de16bbb175dfd5b1e4c3657687faadfa7b3c215a4f553722e628469baa5c5979e6250e524fc952000c9a63da16d2c

Download Submit
C:\Windows\SysWOW64\Kdkoef32.exe

Filesize
56KB

MD5
ef329242acf5debb5770756fdebc0fa5

SHA1
796298891df75116f474160c039d40a1fc105276

SHA256
73de918d212bbc18ed6ff28b28a04b109a0814dd9d62c97142e38dc2085f5f4f

SHA512
a7aa13c44153ba1fbdc504bab74beb73ee3bc42a447e389ab649e3010286e019557337584ee3b0bdda7f3073de1ff2b7d2e0b8bd4ac17feedfa905aed429a4eb

Download Submit
C:\Windows\SysWOW64\Kefbdjgm.exe

Filesize
56KB

MD5
cf0e05073f4e7a8bea11b8bdb835bb5b

SHA1
0ef30bba3dd1a3ca95ca077340df8a836a442506

SHA256
7d7ca3060a1bc3c42aff3cf6aca3587fd56634c11f3fcae630189919e21e3379

SHA512
0a753623680be587e3a94984ff4bb44329d4822bdfe1285762e7de38e260d77b6c437058c78fe64e7a1ccd3a778bc6e2c115a16b55c776fb6ad8cfd211466195

Download Submit
C:\Windows\SysWOW64\Kejloi32.exe

Filesize
56KB

MD5
42b19f59a4ba429fce0713c4a4aa6bd2

SHA1
017ecb9b964c3e308fa03f4b4a3bce81d7e4f290

SHA256
d5c427a58b0e7a9f11c69d76825b63360591de88c8cee0545e11c16f3eeffa61

SHA512
fe8439f34a19403adfc5ffc0d8d88f0edd1cf242e619ffcdda0bdacbffae084da701261e0b2b9f9858636202059c1b43e61851c88681aeadbe0716f99366e907

Download Submit
C:\Windows\SysWOW64\Khabke32.exe

Filesize
56KB

MD5
4c724a4a6811a74917b3a9b562d0d4ba

SHA1
31f23a47d555a2ee763f7207ab064c44e4e39ee3

SHA256
a5e9c618f4ebaa21dc4ebca2a05cba257c77e9119030fd4f4860148603bfa9b8

SHA512
03170e89bdef0c750992dffc3eb63e9a2c51520a0c028f3708c4fb2124fb450f2a2b7be04c6a8f33edb4b06bd6e00dd630bf7f1ddd8619eedae0038205c9ef63

Download Submit
C:\Windows\SysWOW64\Khdoqefq.exe

Filesize
56KB

MD5
c0ee408389736dc34b1e18f0247fc29b

SHA1
21ee58e5080a91e8593569708cb7bda0a1934e10

SHA256
84408ff9615809eaf140d71ab2a66f11f98179ee44b44ee488fb44da29450fd9

SHA512
172d9ff2728aa89d4e06e8ffdda25fa9e01e3e084a5976064b930e9e61893ed6e851a9d315054afd47394b6e0f07ebe0d3cdbc2bc10d94fccb6e4bb99bf0b2ab

Download Submit
C:\Windows\SysWOW64\Khihld32.exe

Filesize
56KB

MD5
9f8be271468929c73bd0d996e18e170e

SHA1
ee14000c62bd5186b2488d063dabf3bf26fa8e3d

SHA256
f82c023a60818b994784f129f83495d0a5e0c643ee8306d8a9d83b84398a344a

SHA512
975f0326912081c2b894a1393b0a2541ba086a7cd31bfbbafa849e075cfd390f936e4ed14869033726884b7a4ef61a69c6975a358d6ba82c3cdab22274fe4227

Download Submit
C:\Windows\SysWOW64\Klbgfc32.exe

Filesize
56KB

MD5
706c35191b6d617e78a7056bc6490796

SHA1
6c5f16f9e131b93bae58e8dd66ca4853d7a8de51

SHA256
4ca0226773cefb2b40fb55560145814029cd55b45a0beaea2863ea447a3d08b8

SHA512
4b6aab3033c545f466020a984bb6098600a0a359a2d6dda4dbe2ecd6796b15d73982cdf2039ac32071f6463898df4944f98ed8b5d36606fdf60269323d7779ee

Download Submit
C:\Windows\SysWOW64\Klpjad32.exe

Filesize
56KB

MD5
0cbab1b709517324344cd4f972e25469

SHA1
ff260b2b675f76fa90bed2e4e0871f3660756efd

SHA256
646952c37f219b0440f606de56495e94e7acb68580e4f42abaa3415544371a17

SHA512
de06e494e214bebe6ff11747b2b3c3bb3c6aa88ef7a0189194660db9d6b5f4e70bfce7b62e15cb0eb8593cd7459a63581583ed64ca92a2eae7c861e7b779d208

Download Submit
C:\Windows\SysWOW64\Kopcbo32.exe

Filesize
56KB

MD5
6ee404f0587bb312534968943951635c

SHA1
85396ec7ce0e9f33bd8884c570c67ddc67c613f2

SHA256
622aa8f6ebc0f5f9fc46e65707ad12c18e7381ab92db705d63b06203926be7ca

SHA512
7dc7726d956da18c436fd62f3155685fadffd7de7651013122004437af02023238f9589759100c250f6547cc65abf94bacc36a673722d35de8ab2d0cbb4ee439

Download Submit
C:\Windows\SysWOW64\Lahbei32.exe

Filesize
56KB

MD5
67f4773fda0a1c3ecbb1d738541e579c

SHA1
46e7cd64de3e03332bc535785f7b10969366223b

SHA256
ce05fd5f02ed3a10e743f671427d53f8bcd74e46aeda455f16d2a7c3fc6204ac

SHA512
1fcb1b95eee89eac4f74db2a216d092555307a461d93b67dd4b091f8c78b9aea11761fe424027a04335d0267f183f162491abe2d17854433d729435bc8e987f6

Download Submit
C:\Windows\SysWOW64\Lbebilli.exe

Filesize
56KB

MD5
09103e4d0c99c4647cb48e8a5658dffd

SHA1
9930db4ff755e8687f99f0c85d9abf68745acc63

SHA256
6034c6de0e43a390e9eb99123afab95cb9266f0b249b979b21c9495e6bf42ab2

SHA512
21aab59d915aa3a6fe1546a0eb695553665ae1581e3f5525f500a077bf26fa65051a55a8e93156663d2fb07fd5745b066977948cb052a2e99c96d94e64291395

Download Submit
C:\Windows\SysWOW64\Ldbefe32.exe

Filesize
56KB

MD5
d7efb52c29ea42a165001b601c365039

SHA1
fa06b88dca59609fc44b30c00a61791c9fbbae25

SHA256
fcba3e45a03492c47a08b8caa7c58f37ef2b141249dc11593500eeede05a350b

SHA512
d9c81946ee28aaafdfb2b22ea34a6b8310dc046e742cf99ecd9371e3c26a76d7a60ee47c95e6fe7e03febcc98b2d4e9f57dbacc716f4946d76d77a5097e1e65a

Download Submit
C:\Windows\SysWOW64\Leabphmp.exe

Filesize
56KB

MD5
ffbe52f85af2fc1fdc3491aedc741fe3

SHA1
9e2dbed8882740d0f98ae396b8250905c3c130ff

SHA256
98bcf126bddbc6ea40bf7d1417bb0de287f09901b8e0a259792c27fad0cbefab

SHA512
1eab82352ddd2093fa7f7aa728f86f3764f431a0755154cc9eac9af1271708daeed00b06817827fe45d525a2f0f3d74f2c7dbb3bb4d0921c4874e6a0c09f532f

Download Submit
C:\Windows\SysWOW64\Lhbkac32.exe

Filesize
56KB

MD5
9d476a682cf8cd635e902efaf219aaf7

SHA1
88e14c77c1d60f5099d21926df76a4762fc32bad

SHA256
b0fa99f351117e3ab4081607f9355c64d950ba5f4749807b5d36fef505f7530b

SHA512
18e58ed32f89d30f98a0e38875ccbf054f8a8a46aa6e1f1e6c455527dcc7d3f9b36bea5898b7f5ebaad293a0e77282fd58c5c8e66a0941747943bbce3b0b5ff5

Download Submit
C:\Windows\SysWOW64\Lkiamp32.exe

Filesize
56KB

MD5
70abdb4d9fa2b90be1a8a2947898a905

SHA1
99495d87e73c8ab094c4828e9df074cd9a931973

SHA256
ef3749d09bb0507d284ae3b0ded1b55fa7e5118bcf53c4c704c22a3c9b2cb905

SHA512
6afccf297ee39cb8cc5cce05d1808e137cb368c6bb08d39652d57d64a587abfab8ecee5fe7a180de39a1849b3421f6c560f16745e36116b5a930e92e2db39a38

Download Submit
C:\Windows\SysWOW64\Lklnconj.exe

Filesize
56KB

MD5
4fd205bb6c596a82787d6ff357510431

SHA1
2eea9f45573b335824cf52b56b02b8cf600900b0

SHA256
8a626d818094298bdffc4c6b0a1f7330459ad6fc40c7014793e34ce254bd777d

SHA512
65312d55b23c6d95904a47d41806405d3861d0a91bc1fd1ad74f2a77667745d4ae112e3a48d9f2b6ed0baa41411da7296b23a08ae2cbabc671008e6f1f0fb05a

Download Submit
C:\Windows\SysWOW64\Lknjhokg.exe

Filesize
56KB

MD5
52d89abfb4f742242398db4a13915f95

SHA1
dddd72f29d1aa22b7de22f8da4e923a01015a95c

SHA256
0141076040669b6e545b6cc6ed2fd651efbd36baf73ec321cb84efd257497015

SHA512
ba900769910b7bd4e30bee2988d9d56a81cc9efffa67107034591fd64bbd763824d62f20769f6d4c26799792d0f3791201c4c80857ba48b4c0f59051f7646edc

Download Submit
C:\Windows\SysWOW64\Loemnnhe.exe

Filesize
56KB

MD5
6cb1bc1a53400fcb72ac4da581ce5246

SHA1
5a61e12aaedb6ee561bca6cddfbbf02108be99dd

SHA256
09d0fb67df767656cd649fa481f59da4ce04c3108fe74c4a326d3cceb32000e0

SHA512
5b18e95d5c1d8f4b654d647807e7199c1afb88fb9c024332349c01b2037b9c4d136a7c7875853293a8a14f0fea18c222fbc54e55094d953786f08d0c352c1447

Download Submit
C:\Windows\SysWOW64\Lolcnman.exe

Filesize
56KB

MD5
099103c373ae1e26ac58d271df736901

SHA1
52e47939061181e6b300b0206196ded53ba4aa4b

SHA256
972ca6873fa1a4286002692ded64deb8ed8b47f45b6e6e24d94b190323a66496

SHA512
57987daee52b7afdbfaf943421aadfbfab0e0a4fa3a6c5e541f42a4bae21b4cff10a557c3c0385e7ddf0921f39a0924903ce14fac31156855738c5f4a84d4812

Download Submit
C:\Windows\SysWOW64\Pcbdcf32.exe

Filesize
56KB

MD5
a3af07687dd921db19c16cb9e09c35f8

SHA1
787f676c444e93bfd50798f74e99339506b9d0d6

SHA256
7a01e4b6bd933d27fcf8f4e5d22789e0231ad0b5f4c317298579362135d32b99

SHA512
a00731c7bc3b66a49fe573b6ec4064520ebf4a1a374f39cd6053a308e6bab381a8dbe51d7e727f0527b754524276b4330339e4051347ab6272f19fa65afb5d9b

Download Submit
C:\Windows\SysWOW64\Pmoagk32.exe

Filesize
56KB

MD5
ad154ea9383bbdb2ad0e3df48616af90

SHA1
62e2d4681121bf81231529b0077b34589e69f883

SHA256
51aa8f083bdb18f9dc32a06a767b8502ab450ac6c91832f88787aab8e396e31f

SHA512
25e755102837b07389ac361bfae57ff28683da97ea658b7894791df786d4098829ccfa614bbd23e829a4f606f82907d32e795305eb3d4a71422a6a7699e35bad

Download Submit
C:\Windows\SysWOW64\Qmanljfo.exe

Filesize
56KB

MD5
9b66a0c5bebe678567938d9eb3a44aa6

SHA1
402b16986eef425bb20915353ed6beff345443ff

SHA256
d4009689000b78a5b321ab77d69d963a2fc84ee29ca7a2d3128e444e12347931

SHA512
5fffca080e0768a8a45dd5a6a5664a0d93dd64eacadf58157b774b8c0eb2a653e05d047111d89b85fdb24da08c0de0711baed6daadaa9ec3ab5b3d3756ef1033

Download Submit
memory/696-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/696-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1208-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1208-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3392-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3392-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-118-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3796-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3796-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4200-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4292-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads