48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe
Size

80KB
MD5

49c0499bb4925acc904efff5b68db0f1
SHA1

f4254484eac61f587143b5ef1252bc730660ebf7
SHA256

48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da
SHA512

1329054de027594bb59ff52bff0fcb8f63d3fdb1b2f047333fcfbf998e9a2ab7d7b3e5a48c911ead2bde39fd47dcc2dbe233bbbef3bc3d1359d219e778deabfe
SSDEEP

1536:niX/mIw3ePzWupV32L5J9VqDlzVxyh+CbxMa:n3XefpC5J9IDlRxyhTb7

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjnnbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihbponja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfiokmkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplfcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppgomnai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieojgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidinqpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iogopi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlgoek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kapfiqoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jahqiaeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhqefjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lojmcdgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfiokmkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbibfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhegig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqhfoebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iojkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbojlfdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jocnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kolabf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obnehj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefiopki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oiccje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mohidbkl.exe

Executes dropped EXE 64 IoCs

pid	Process
3644	Ilfennic.exe
4372	Ieojgc32.exe
1916	Ihmfco32.exe
4460	Iogopi32.exe
3668	Ieagmcmq.exe
3952	Iojkeh32.exe
3424	Ihbponja.exe
4576	Ibgdlg32.exe
2560	Iialhaad.exe
3604	Iondqhpl.exe
1052	Jidinqpb.exe
3632	Joqafgni.exe
3680	Jifecp32.exe
1712	Jocnlg32.exe
796	Jbojlfdp.exe
2300	Jemfhacc.exe
3776	Jlgoek32.exe
3008	Jbagbebm.exe
3536	Jikoopij.exe
2388	Jhnojl32.exe
2344	Johggfha.exe
2980	Jafdcbge.exe
8	Jhplpl32.exe
2440	Jahqiaeb.exe
4492	Kiphjo32.exe
1540	Kolabf32.exe
3368	Kefiopki.exe
2076	Klpakj32.exe
4376	Kcjjhdjb.exe
1848	Kamjda32.exe
648	Kidben32.exe
2340	Kapfiqoj.exe
644	Kpqggh32.exe
3972	Kemooo32.exe
1760	Kpccmhdg.exe
3180	Kadpdp32.exe
4668	Lljdai32.exe
4276	Lafmjp32.exe
3884	Lhqefjpo.exe
3640	Lojmcdgl.exe
2504	Laiipofp.exe
1620	Lhcali32.exe
1576	Lomjicei.exe
784	Ljbnfleo.exe
2944	Lplfcf32.exe
3020	Lfiokmkc.exe
4200	Lhgkgijg.exe
2536	Lpochfji.exe
1208	Lcmodajm.exe
1800	Mfkkqmiq.exe
4696	Mledmg32.exe
4840	Mcoljagj.exe
3760	Mjidgkog.exe
264	Mofmobmo.exe
924	Mfpell32.exe
4880	Mpeiie32.exe
436	Mohidbkl.exe
3216	Mjnnbk32.exe
1068	Mqhfoebo.exe
3044	Mbibfm32.exe
1680	Mjpjgj32.exe
4176	Mqjbddpl.exe
2992	Nblolm32.exe
4976	Nfgklkoc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ieagmcmq.exe	Iogopi32.exe
File created	C:\Windows\SysWOW64\Kngekilj.dll	Ieagmcmq.exe
File created	C:\Windows\SysWOW64\Emlmcm32.dll	Lojmcdgl.exe
File created	C:\Windows\SysWOW64\Nmfmde32.exe	Nfldgk32.exe
File created	C:\Windows\SysWOW64\Pbcncibp.exe	Ppdbgncl.exe
File opened for modification	C:\Windows\SysWOW64\Piapkbeg.exe	Pfccogfc.exe
File created	C:\Windows\SysWOW64\Laiipofp.exe	Lojmcdgl.exe
File created	C:\Windows\SysWOW64\Oifppdpd.exe	Ofgdcipq.exe
File created	C:\Windows\SysWOW64\Pmhbqbae.exe	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Himfiblh.dll	Ihmfco32.exe
File created	C:\Windows\SysWOW64\Ehfomc32.dll	Kiphjo32.exe
File opened for modification	C:\Windows\SysWOW64\Nckkfp32.exe	Nhegig32.exe
File created	C:\Windows\SysWOW64\Nbbeml32.exe	Nmfmde32.exe
File created	C:\Windows\SysWOW64\Cjkhnd32.dll	Ooibkpmi.exe
File created	C:\Windows\SysWOW64\Kidben32.exe	Kamjda32.exe
File opened for modification	C:\Windows\SysWOW64\Kidben32.exe	Kamjda32.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Pblajhje.exe
File created	C:\Windows\SysWOW64\Lpochfji.exe	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Pblajhje.exe	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Jcoiaikp.dll	Jidinqpb.exe
File opened for modification	C:\Windows\SysWOW64\Kcjjhdjb.exe	Klpakj32.exe
File opened for modification	C:\Windows\SysWOW64\Lafmjp32.exe	Lljdai32.exe
File created	C:\Windows\SysWOW64\Mgccelpk.dll	Mjnnbk32.exe
File created	C:\Windows\SysWOW64\Nfldgk32.exe	Noblkqca.exe
File created	C:\Windows\SysWOW64\Gflonn32.dll	Obnehj32.exe
File opened for modification	C:\Windows\SysWOW64\Omfekbdh.exe	Obqanjdb.exe
File created	C:\Windows\SysWOW64\Nhoped32.dll	Pmhbqbae.exe
File created	C:\Windows\SysWOW64\Pbhgoh32.exe	Pmkofa32.exe
File created	C:\Windows\SysWOW64\Dblamanm.dll	Pmkofa32.exe
File opened for modification	C:\Windows\SysWOW64\Ibgdlg32.exe	Ihbponja.exe
File created	C:\Windows\SysWOW64\Kpmmljnd.dll	Jlgoek32.exe
File created	C:\Windows\SysWOW64\Ablmdkdf.dll	Kefiopki.exe
File created	C:\Windows\SysWOW64\Mgfhfd32.dll	Kpqggh32.exe
File created	C:\Windows\SysWOW64\Mqhfoebo.exe	Mjnnbk32.exe
File created	C:\Windows\SysWOW64\Naagioah.dll	Nckkfp32.exe
File created	C:\Windows\SysWOW64\Oajgdm32.dll	Pbekii32.exe
File opened for modification	C:\Windows\SysWOW64\Pbjddh32.exe	Pcgdhkem.exe
File created	C:\Windows\SysWOW64\Cgpfqchb.dll	Jbagbebm.exe
File created	C:\Windows\SysWOW64\Jhplpl32.exe	Jafdcbge.exe
File created	C:\Windows\SysWOW64\Kemooo32.exe	Kpqggh32.exe
File created	C:\Windows\SysWOW64\Chgnfq32.dll	Lafmjp32.exe
File created	C:\Windows\SysWOW64\Bpenhh32.dll	Nmfmde32.exe
File created	C:\Windows\SysWOW64\Fpgkbmbm.dll	Nbebbk32.exe
File created	C:\Windows\SysWOW64\Likage32.dll	Omdieb32.exe
File opened for modification	C:\Windows\SysWOW64\Paihlpfi.exe	Piapkbeg.exe
File opened for modification	C:\Windows\SysWOW64\Oiagde32.exe	Ooibkpmi.exe
File opened for modification	C:\Windows\SysWOW64\Opbean32.exe	Omdieb32.exe
File created	C:\Windows\SysWOW64\Bmgjnl32.dll	Ppdbgncl.exe
File opened for modification	C:\Windows\SysWOW64\Ppgomnai.exe	Pmhbqbae.exe
File opened for modification	C:\Windows\SysWOW64\Johggfha.exe	Jhnojl32.exe
File created	C:\Windows\SysWOW64\Kamjda32.exe	Kcjjhdjb.exe
File created	C:\Windows\SysWOW64\Kpqggh32.exe	Kapfiqoj.exe
File created	C:\Windows\SysWOW64\Aadafn32.dll	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Ljgmjm32.dll	Opbean32.exe
File created	C:\Windows\SysWOW64\Omfekbdh.exe	Obqanjdb.exe
File opened for modification	C:\Windows\SysWOW64\Pfojdh32.exe	Pbcncibp.exe
File opened for modification	C:\Windows\SysWOW64\Pciqnk32.exe	Pjaleemj.exe
File opened for modification	C:\Windows\SysWOW64\Jhplpl32.exe	Jafdcbge.exe
File created	C:\Windows\SysWOW64\Clpchk32.dll	Jafdcbge.exe
File created	C:\Windows\SysWOW64\Jacodldj.dll	Lplfcf32.exe
File opened for modification	C:\Windows\SysWOW64\Mqjbddpl.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Ebdpoomj.dll	Oifppdpd.exe
File created	C:\Windows\SysWOW64\Pencqe32.dll	Paihlpfi.exe
File opened for modification	C:\Windows\SysWOW64\Laiipofp.exe	Lojmcdgl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6028	5764	WerFault.exe	199

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckkfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjaleemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iialhaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbeml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfojdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbjddh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmodajm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibgdlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqhfoebo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgkgijg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcoljagj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilfennic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieojgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihmfco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbojlfdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jafdcbge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mohidbkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhegig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpqggh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjpjgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oifppdpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laiipofp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpeiie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njljch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofmobmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oonlfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbhgoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jemfhacc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikoopij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieagmcmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jahqiaeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidben32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noblkqca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paihlpfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiphjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpccmhdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbibfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojqcnhkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lafmjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgklkoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Johggfha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqjbddpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opbean32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhbqbae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcgdhkem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidinqpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlgoek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kapfiqoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfiokmkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkofa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfccogfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihbponja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcjjhdjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfpell32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njedbjej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgdcipq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iojkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nblolm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqcejcha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpochfji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfkkqmiq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kefiopki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kapfiqoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfmmb32.dll"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnllm32.dll"	Njedbjej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jifecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jemfhacc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlgoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kolabf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnebjidl.dll"	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fegbnohh.dll"	Lpochfji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njedbjej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obnehj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhfdb32.dll"	Kolabf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Likage32.dll"	Omdieb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjfaikb.dll"	Ocgkan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmgil32.dll"	Pbcncibp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfojdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppgomnai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anafep32.dll"	Mcoljagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlmcm32.dll"	Lojmcdgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jacodldj.dll"	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmodajm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjidgkog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfpell32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbagbebm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhqefjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ooibkpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phgibp32.dll"	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll"	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Johggfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leboon32.dll"	Kidben32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pencqe32.dll"	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgkan32.dll"	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qidpon32.dll"	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kidben32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlkecaj.dll"	Ppgomnai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieojgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jemfhacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laiipofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdkcj32.dll"	Lfiokmkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgilf32.dll"	Mbibfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll"	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhmjl32.dll"	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbqppqg.dll"	Jahqiaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljgmjm32.dll"	Opbean32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbojlfdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laiipofp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 3644	2296	48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe	89
PID 2296 wrote to memory of 3644	2296	48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe	89
PID 2296 wrote to memory of 3644	2296	48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe	89
PID 3644 wrote to memory of 4372	3644	Ilfennic.exe	90
PID 3644 wrote to memory of 4372	3644	Ilfennic.exe	90
PID 3644 wrote to memory of 4372	3644	Ilfennic.exe	90
PID 4372 wrote to memory of 1916	4372	Ieojgc32.exe	91
PID 4372 wrote to memory of 1916	4372	Ieojgc32.exe	91
PID 4372 wrote to memory of 1916	4372	Ieojgc32.exe	91
PID 1916 wrote to memory of 4460	1916	Ihmfco32.exe	92
PID 1916 wrote to memory of 4460	1916	Ihmfco32.exe	92
PID 1916 wrote to memory of 4460	1916	Ihmfco32.exe	92
PID 4460 wrote to memory of 3668	4460	Iogopi32.exe	93
PID 4460 wrote to memory of 3668	4460	Iogopi32.exe	93
PID 4460 wrote to memory of 3668	4460	Iogopi32.exe	93
PID 3668 wrote to memory of 3952	3668	Ieagmcmq.exe	95
PID 3668 wrote to memory of 3952	3668	Ieagmcmq.exe	95
PID 3668 wrote to memory of 3952	3668	Ieagmcmq.exe	95
PID 3952 wrote to memory of 3424	3952	Iojkeh32.exe	96
PID 3952 wrote to memory of 3424	3952	Iojkeh32.exe	96
PID 3952 wrote to memory of 3424	3952	Iojkeh32.exe	96
PID 3424 wrote to memory of 4576	3424	Ihbponja.exe	97
PID 3424 wrote to memory of 4576	3424	Ihbponja.exe	97
PID 3424 wrote to memory of 4576	3424	Ihbponja.exe	97
PID 4576 wrote to memory of 2560	4576	Ibgdlg32.exe	98
PID 4576 wrote to memory of 2560	4576	Ibgdlg32.exe	98
PID 4576 wrote to memory of 2560	4576	Ibgdlg32.exe	98
PID 2560 wrote to memory of 3604	2560	Iialhaad.exe	99
PID 2560 wrote to memory of 3604	2560	Iialhaad.exe	99
PID 2560 wrote to memory of 3604	2560	Iialhaad.exe	99
PID 3604 wrote to memory of 1052	3604	Iondqhpl.exe	101
PID 3604 wrote to memory of 1052	3604	Iondqhpl.exe	101
PID 3604 wrote to memory of 1052	3604	Iondqhpl.exe	101
PID 1052 wrote to memory of 3632	1052	Jidinqpb.exe	102
PID 1052 wrote to memory of 3632	1052	Jidinqpb.exe	102
PID 1052 wrote to memory of 3632	1052	Jidinqpb.exe	102
PID 3632 wrote to memory of 3680	3632	Joqafgni.exe	103
PID 3632 wrote to memory of 3680	3632	Joqafgni.exe	103
PID 3632 wrote to memory of 3680	3632	Joqafgni.exe	103
PID 3680 wrote to memory of 1712	3680	Jifecp32.exe	104
PID 3680 wrote to memory of 1712	3680	Jifecp32.exe	104
PID 3680 wrote to memory of 1712	3680	Jifecp32.exe	104
PID 1712 wrote to memory of 796	1712	Jocnlg32.exe	105
PID 1712 wrote to memory of 796	1712	Jocnlg32.exe	105
PID 1712 wrote to memory of 796	1712	Jocnlg32.exe	105
PID 796 wrote to memory of 2300	796	Jbojlfdp.exe	106
PID 796 wrote to memory of 2300	796	Jbojlfdp.exe	106
PID 796 wrote to memory of 2300	796	Jbojlfdp.exe	106
PID 2300 wrote to memory of 3776	2300	Jemfhacc.exe	107
PID 2300 wrote to memory of 3776	2300	Jemfhacc.exe	107
PID 2300 wrote to memory of 3776	2300	Jemfhacc.exe	107
PID 3776 wrote to memory of 3008	3776	Jlgoek32.exe	108
PID 3776 wrote to memory of 3008	3776	Jlgoek32.exe	108
PID 3776 wrote to memory of 3008	3776	Jlgoek32.exe	108
PID 3008 wrote to memory of 3536	3008	Jbagbebm.exe	109
PID 3008 wrote to memory of 3536	3008	Jbagbebm.exe	109
PID 3008 wrote to memory of 3536	3008	Jbagbebm.exe	109
PID 3536 wrote to memory of 2388	3536	Jikoopij.exe	110
PID 3536 wrote to memory of 2388	3536	Jikoopij.exe	110
PID 3536 wrote to memory of 2388	3536	Jikoopij.exe	110
PID 2388 wrote to memory of 2344	2388	Jhnojl32.exe	111
PID 2388 wrote to memory of 2344	2388	Jhnojl32.exe	111
PID 2388 wrote to memory of 2344	2388	Jhnojl32.exe	111
PID 2344 wrote to memory of 2980	2344	Johggfha.exe	112

C:\Users\Admin\AppData\Local\Temp\48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe
"C:\Users\Admin\AppData\Local\Temp\48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\Ilfennic.exe
  C:\Windows\system32\Ilfennic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\SysWOW64\Ieojgc32.exe
    C:\Windows\system32\Ieojgc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Windows\SysWOW64\Ihmfco32.exe
      C:\Windows\system32\Ihmfco32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4460
      - C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Jbojlfdp.exe
        
        C:\Windows\system32\Jbojlfdp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Jbagbebm.exe
        
        C:\Windows\system32\Jbagbebm.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        24⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1848
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        35⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        43⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        44⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:784
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3216
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        74⤵
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        78⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5276
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        88⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        89⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        92⤵
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        106⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 400
        107⤵
        Program crash
        
        PID:6028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4368,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:8
1⤵
PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5764 -ip 5764
1⤵
PID:5940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ibgdlg32.exe

Filesize
80KB

MD5
1a811e84f33b86ca0cf2bdae6e101d41

SHA1
549a0fbcf362bc2665322eee7981d26ea1a99a95

SHA256
3eb3ef227c2c5eb0c6223719332a8fa8fd7516d7376ebb5776f708e48cb6332a

SHA512
5afca9f8f7f35cf1c7e8eb77f90d38279e5cbfca55b88273dbf7f33bef938efa042c90f7b8a311c02d589f474fadc10b05ffd7f051c5f8e1e85f26f60dd84893

Download Submit
C:\Windows\SysWOW64\Ieagmcmq.exe

Filesize
80KB

MD5
e4c10d08da9b229777249a0975d6ff04

SHA1
7e3442564aad30ed4b83c209aaa0919ff2ff1d71

SHA256
91b1bc8478f724a0ffe06d8b460a7f99537f54eccb7f38969ab480954c557669

SHA512
eff10dccc0cb9392eac3a9ebb10493609287f3b30bde0e4f61c7b0a85d5c0698e945c1701f492f1a6032a0ad123c82f344043bb3617e04cbf8c07e81a531b58c

Download Submit
C:\Windows\SysWOW64\Ieojgc32.exe

Filesize
80KB

MD5
bcfe8ad9c5323aafdfeb3c1740a71d4a

SHA1
8fe2179153807f86d474ead098b4c99777b4eaa1

SHA256
d4b378e067bc2361e44730a98c10bd8960e802e7af41f88b07bad3d42165ee53

SHA512
fea6e101a8f073f11a7137820ec0f91834c86e680963d27a24c9f5605764c93aaa4ab853319cd1576234f2dc9b6fc7ea157b06d623d5b876047241cfcb4ffa76

Download Submit
C:\Windows\SysWOW64\Ihbponja.exe

Filesize
80KB

MD5
4af28f8e33428145c1b28f84c0a93951

SHA1
d56c4ff3affbfb8769739336994e16af5038b13e

SHA256
d93532d7235e4ef3c43f68812b399ae0a85120fe17481cc4b1a48090631acd55

SHA512
34a9a7d313e378ebcbe5f7488eebb7f6d8b0f932058a2918a08b6856d7f08a68720f85b91173afd75dc9a049c74befdf62d899121ef5b3d56c6e6409cad322a5

Download Submit
C:\Windows\SysWOW64\Ihmfco32.exe

Filesize
80KB

MD5
7f0d1b7e4f6163f0ef2c6872f14b05f7

SHA1
bf5bf9e2f61e27cf1312e14dadccb498abff5bbb

SHA256
1d966f9aad1b85ffe522cab0524e6108bcbf7f78447a8a6e2a905a6a516097fe

SHA512
4e8cb279fb585a4453844d3fb5d189237f4051bb76789f59088ffda11b4508c36a4bdf50e095b06dd883038f041f84445cbd1b07b08631140127d5066bf4be34

Download Submit
C:\Windows\SysWOW64\Iialhaad.exe

Filesize
80KB

MD5
08c0330ff910bbc81830e5930bf2d0fd

SHA1
6667a8f2a98c42d9f9d03befc814e4eedf04bae2

SHA256
c85119820632948c7ce9ad9a21cbc5470b8c727dad5a8d0a373768e90b7f09e9

SHA512
79bfa78b01c688548d1a7faf59be609fba5664a7c020c8baa60e32450f15ea5afce1a84c7d1cdd9388d973f33eb4b9dfef08d66be44f3f43c92d8eee00716987

Download Submit
C:\Windows\SysWOW64\Ilfennic.exe

Filesize
80KB

MD5
405e29de9965c4803a6b1b9f9a25f3fc

SHA1
46f0ed4dcf871ab52914ab85ce044e7aa938570b

SHA256
a16025385e6648997144d78f2a3b3c89882766675aade019bd357ea21a938a1a

SHA512
ac2c23a8db61c9d377d74e61546290e3968013ceb48ab961d26a65b604f59461353d52e062395c6dccb0f2e9b4cb4b3e0a2f0ea66a39764d65c503307568b7bf

Download Submit
C:\Windows\SysWOW64\Iogopi32.exe

Filesize
80KB

MD5
c0d507e608d52c2729e5a28660059085

SHA1
aeb16f779ed6d464cdd8df66bee3f590ca99ab36

SHA256
c40e3a535c0429b4404d39a2d5511cb50cf08d535d42dd60b72d63a3f8c31215

SHA512
ff14d7bcaf16de6d8d58008154f57fa6e42c5e663daacf6149f70e46d61e86c67c41cc83fed7e3b6080faa596fc557c794d890edef082f50a6f7d43658ddcdc2

Download Submit
C:\Windows\SysWOW64\Iojkeh32.exe

Filesize
80KB

MD5
3dc943c860f69f3bb96e382ccababc9c

SHA1
eb994551692d13e9d8821b60f4fc2494765d7786

SHA256
4b3000268d3fda13949b9ccfd8565266f5eefeaf488c9a38f099c8a7e5bec411

SHA512
aec124728194b7457b002b786e9d3e149f15faccfe7e6abf22eb0b37bf2b403e166f53dc7b232e99e2689afb00821128fe743302cf50ca1a8d244052509d2397

Download Submit
C:\Windows\SysWOW64\Iondqhpl.exe

Filesize
80KB

MD5
582b88764f625dabd4d913cb5ff89ca1

SHA1
0beced53a188b7598a372554342bc8772ec6bcb5

SHA256
cc6079b69a1f083cc4175341ad65e0ceadb33553ba79a736ea82de9e95ab70b6

SHA512
f4f1295c13ff0fa1d07c9eba9580c0f6ebfdf45f4ff2c2015ea4101d0a6d34da798a0fc0e7d4b728b042283be4e0fa0fce646482369c36672e29e6d2da4d09fb

Download Submit
C:\Windows\SysWOW64\Jafdcbge.exe

Filesize
80KB

MD5
a455c96db2a964f0ce3666d1fbc257de

SHA1
0f44bb95dc1382165bd1c50b19225423c8539eb1

SHA256
49ffa1ce463d691731d16a3a3c203b031cf7999899ab957efbc523035d1d0b65

SHA512
408680c457a74c0d855dfb53b3494b48353b77f6be72a6855ee28e6527340ab6ec7174f2f3350e7efafa91f2d9bcc87e768243dbfaf891e731da78ac0119c9fb

Download Submit
C:\Windows\SysWOW64\Jahqiaeb.exe

Filesize
80KB

MD5
4be723d37fa96cd4392791d36683fbb1

SHA1
d66e56560c0ee2e8508829110a7ab72bd4d6b683

SHA256
49c3c8709288d42ff18b21a98c5f3bf5a073a922595663a28580e2b3cc01fe5a

SHA512
3fc2983becec13230a22ef022ea16c383421d59a3d9923ffbb6ebdc569d2156c7d64de854e94767dc45de37d8af613f23bbc78b368ccd141eca3a47c4b4e211b

Download Submit
C:\Windows\SysWOW64\Jbagbebm.exe

Filesize
80KB

MD5
4197312bd9ab643516380d8d11a51641

SHA1
2779cef750692525efa09d45779ff88d33ae8951

SHA256
184ce6b101a47d2a5b7fbf5691881789a791b03f586b82a51ebd568d028914c3

SHA512
304f4ddeb5d3ea6011deb1b83e6722ad61ef4b2b98a5061ed2bf4d3b75abc6c67f6b2d49c757278dce1e8b907b0dbbaab6e0c158c9ac0bbeb300077ee7d0edc6

Download Submit
C:\Windows\SysWOW64\Jbojlfdp.exe

Filesize
80KB

MD5
385f870c4d45af54ce0f183393f6cfb7

SHA1
1b730855156df986847a797520dd98ce47fe0aee

SHA256
ff25a59abea1da622ba89236162f1638b654f9b1933dbd24889ab5b1a8b2275e

SHA512
580f15c0d2da039d822fbb47d60b6997f5eb36a162013be049382a7d73d08fd4a52562781dd430248cd0593d8e559fb52af99712281a8d3b4c0fe6438ec1ab85

Download Submit
C:\Windows\SysWOW64\Jemfhacc.exe

Filesize
80KB

MD5
ded97300a545c6347ba2a8980ad69446

SHA1
5a9fef74ce1cd1b919bc9082f28936fabf8ef4f6

SHA256
97cee44274580f3ad0ab771f1def6f2f10f9ae70c95190016114b5e80c7c259e

SHA512
47eac0ebc255787dac739e10269be420c9a8916e5b5d269cd22d658e8c77fbeaede5689cb6af6346c28cb4049386cc65624e8c873cbfb0cfbcab9f93a2400d57

Download Submit
C:\Windows\SysWOW64\Jhnojl32.exe

Filesize
80KB

MD5
654b4d32566d4cefe11286008ab9db3e

SHA1
e38ba3ebf6c88a44e022b48556cb446f175a4823

SHA256
6a01ad27da63f45a394d1e25e6f781c00325f61f4f4ebaa1ce8eda5470a68774

SHA512
ff2a2ecb71e56030103293a7ab975836b55a79945eaee914cd5cfe9c0cd3df481164f567471f15c003ea0101627d01c56f2a177c1d7a3bc1b449196bc931cdb2

Download Submit
C:\Windows\SysWOW64\Jhplpl32.exe

Filesize
80KB

MD5
17682b864c6db297c1cfa56103cefca7

SHA1
14430df155df46ee824a95231497e7fa9d2ccc27

SHA256
2123150c583dce302d22d738fa3e7c7cd88fe25ffb410867d674844e57acd86a

SHA512
bca35d7b379d0d269e52bd7998631641ee3e9594430220ba6e93173c07f020c7119bf4b5c41f9bf1fe2716a135203e234954a0882ff6f5a898682fb6cfecdf9b

Download Submit
C:\Windows\SysWOW64\Jidinqpb.exe

Filesize
80KB

MD5
e91383a98f4e9cdf5c06b02f402e0fca

SHA1
8eb179341ce195712a5624008d713f98b55291aa

SHA256
df5e540007d8da4f6d4ec3fc842bade69806fe06702352dfe564936044a20556

SHA512
122c626052ecfe9eb19d874ad2a5375420f7240e701bcec5a1d88fadf75e4f157c98c1c32c57e5496c69d8cc32bff9ab612dbdcf91caa0d302300bc53b9a611b

Download Submit
C:\Windows\SysWOW64\Jifecp32.exe

Filesize
80KB

MD5
a9d09effb2b05c9376bd4db1d6276306

SHA1
611b31d235717a1d10ed127a35c09987beff5f82

SHA256
5a5287218b5d978ea9376bfdb5cff22c9264be084cc74887b79b98809b06961f

SHA512
a9dcc5fd97a96ff2c6efc8df77235af0e9425f5b739c5a68f9845163c8f4a837f00e40cf65caa9af27b4541ffac4623743519f250c4d5b08207109da815a69eb

Download Submit
C:\Windows\SysWOW64\Jikoopij.exe

Filesize
80KB

MD5
a57ab8031be33f9924424c3f486c16a8

SHA1
c5024a8a0ccc4c139781b17abf2b5fffa5e84815

SHA256
fa2416c074c07c4b895c8ab652a41591120852fc0afe32470a22407de83c9a53

SHA512
3625fe60818f14d75f79c6b8f1e9d5e24e3ce8f16835d5f6bcdbe51dc7d033b92ce2cee11560ec4d8699689e4311fedfc1ee784d1936ebdb994df76b07206921

Download Submit
C:\Windows\SysWOW64\Jlgoek32.exe

Filesize
80KB

MD5
2cecbd6863cf33519ab7700cb58d85f2

SHA1
6e26a67665155aa0551d6e2ee4dd04425cb29a21

SHA256
eb18946533d8db70ccf38353f8ef521900a8f84a956b8b02996ad71ae2020eab

SHA512
31c2c2eb614c06244b698341b2561df985518483e69372feb3f72a10509561461d93ead4c50897e4de5b67acb1fa7ac7c29c53d33031354cc93580d4796db9ce

Download Submit
C:\Windows\SysWOW64\Jocnlg32.exe

Filesize
80KB

MD5
73657eed1fbab31022940703a0eff194

SHA1
f35757f855860ca5f77bbde5060fb2be69d07088

SHA256
3fd955a9b863cdac042b11d9743ae103ba81d1b4ebd21d9598fe16ec27214658

SHA512
9b45fcfeab0c7e2b119955778525e523045c7174d67588917673c039bfab18869103562799756840a376c09ae651c4446d902ab3c6cdc113b7a60c0f874da037

Download Submit
C:\Windows\SysWOW64\Johggfha.exe

Filesize
80KB

MD5
fc5f725c6b1a97adea6429f41bb46633

SHA1
f8bbf4261e3ec8d0bf552f9ae3f1d0257e2a2a67

SHA256
ed6d3d7bbf28e86a353cfad58aa7030a815a94ae52875c7dd0e7dc0183141d28

SHA512
c65f1bc1ace9ea778f7726803ed03cad472b3fee2682f85cb8807e6b1c037d7c0c7b018e9bb2ba57c74105b1cc10c4740c1f469b8fd46de1fda01b84e3a31467

Download Submit
C:\Windows\SysWOW64\Joqafgni.exe

Filesize
80KB

MD5
53ec83e0648c6ce6b16403ec6105fb13

SHA1
bbf8f966d2ede33ce06a682429f249c573c7cc65

SHA256
791f522ea4df7d8e38883dde3c1f24bbad465ee13d05afea9bdbfbf959ce432f

SHA512
85961513fe604d25a2a3befc6700d8def6a839cc9e79b7dd6966aa601dcb8d9f9014f448e0c06bb9fede6672ccd7207bf1456be741c1491a2429e7af5086ff52

Download Submit
C:\Windows\SysWOW64\Kamjda32.exe

Filesize
80KB

MD5
cb42f4e64e8ae34bbc59418351643c00

SHA1
34c5c36a026155db10062db8c001ee9255b8ed72

SHA256
9f0c56ff38b6f09d01871ba6cba5a6b0f102221179f05eb762166be23e0f88d0

SHA512
f43f3a66aa6489f2d2b38dcba027ded2b2d39f6d6ea7f24e1d8d01b9fb4a5bf1281b38436b0b09e0c870196d1c83498f50aa42a8d368c34ba22a7c518428d971

Download Submit
C:\Windows\SysWOW64\Kapfiqoj.exe

Filesize
80KB

MD5
aff3c9ff7bf63ed92b5052f97b519f15

SHA1
eeb7f4c332d091c593e0c691b722c9048b986658

SHA256
cc006d4d38c828bde550fe217534d96b121c35aca137ca4848099b7dd7c1e483

SHA512
d430c833afe11bc5046845a0d18f623a14d57bff541f5a37e0faf917f126dbb45a419ea8f3334ff38b23fe432b690846c4bbb602fffecc1f52a30addf7357d10

Download Submit
C:\Windows\SysWOW64\Kcjjhdjb.exe

Filesize
80KB

MD5
c25f16a8a5ba38eb4f4bf01837fab349

SHA1
4b9e379ed51aa1366c4954b479e8d53d758e93be

SHA256
43ee501457c5689a449b9c3d307340f8663d5fa8c44d9e55639047ad91548b71

SHA512
4e1584d89c2a563e8fcf90c401936c76c21a888e474ade199c537f75b299a4a0a9c746d060a0ebb31111dd007af50105c52d13e884890b23d7de8b6426f0f0d8

Download Submit
C:\Windows\SysWOW64\Kefiopki.exe

Filesize
80KB

MD5
fb64854e822fd1c1f9cd99506c368982

SHA1
03bf1e5437f53533ef6a29d5e7806f25e038cf6a

SHA256
1099648af88b528cbf9579711ce1f3c6a94eabe7b04a52a4418a0ebf5b72ddfb

SHA512
47c242ca2d4490b2d3bbac98683654a4cb29f857460a4ad038a343ccaecaab20150e879c26f234ee339121a6adfe485608ee02f8eaca4684cca4865c07f3f1b2

Download Submit
C:\Windows\SysWOW64\Kidben32.exe

Filesize
80KB

MD5
d0fe2a2e15479df77d26be8b80a9ec02

SHA1
ba31a68b52db729d982bd3f8b4186372271cdb84

SHA256
f6e68b9a65f1e307955739627e487a5b398b482d70c27c56c1f884fbd202723f

SHA512
ea6db2972fe62df5c3e9b97a47006ad699e9db28046ff0509a1df4a60918c09bc1451e92a0e91060dff442301b63b7d741f387a60a9a24ca49dab43ef6f1b04e

Download Submit
C:\Windows\SysWOW64\Kiphjo32.exe

Filesize
80KB

MD5
1e357e8ebc829c159cb315b31522a8ec

SHA1
8a4bf4d32c39ae0961394e3b2ed5779cb8cdc16c

SHA256
fac5860a97d495f580b486f7e4901b19e7a871cc3ae78c08492939939fddf456

SHA512
5b5ad365cdd8022bc39aeb5f3426a28d1b7a5eaacc0d06306500e12bc21d5b36838d2983010c58d98488e171a4af535d210521d84a2eb9f87fb2950e701adf39

Download Submit
C:\Windows\SysWOW64\Klpakj32.exe

Filesize
80KB

MD5
ccae47cd3b418d33715f64f7e4037124

SHA1
e6942b96733872ac8e83d09235d81b0785d3fe41

SHA256
62c3d180253a9c4e09891503dbd1edfa1c59e693c7b57a6b0bd349c41b15ed65

SHA512
e107f84af2476c17821b7a0ea139cf024d9daad083f67892227c679fadc805ae8049903949dd45794901dd4a88597884cdc11086f72cfdfeca4544d7b9f9e7dc

Download Submit
C:\Windows\SysWOW64\Kolabf32.exe

Filesize
80KB

MD5
0bb8c9cee3469a5fd1c620a21b32e5c7

SHA1
7445b3966626421eb840610bd9c9532f0d8f2650

SHA256
616945e428a0efb16ebeb6bb78563d8bedd3b0ab2164cade254cef292fa59dde

SHA512
0d0f3f140d1201c7718b307a8a48963780b240704b4ebb9c26c490667ece081ea62dba821b8088ed9da8044428908528b88f4a2593eba25ad2ee39b3a9568203

Download Submit
C:\Windows\SysWOW64\Lomjicei.exe

Filesize
80KB

MD5
ff3b2cc0f5b9d5b755b7e552b45fa0e4

SHA1
fe4e61ac028a96f135083a2d43c645716676b49f

SHA256
d9b99a6c3e87a528a30a45d2f8b1d362a0bbab76122c3a64c526fa2413b0b3f9

SHA512
b88c08087a35e3b7573472785e3ea345fa570bfff76650c440f6fff1cca76ba60c974965fa72a5426b9fa0066a326de5baab843e958891f2bae72d1a155103ee

Download Submit
C:\Windows\SysWOW64\Nqcejcha.exe

Filesize
80KB

MD5
1c732c248869f20ef39e5b3619455115

SHA1
f10af06345dd6bcf24ac8113307a05df538bcb1b

SHA256
594d4215152ce7d967446c2f3786549ae2c49b6dc22b61f3bc910e054763eb54

SHA512
18970f137e099ae1bce8ec0b87b21debc459b3ef16cb142ade27b545a4f3f9f099fbb7c00273ca236f3f9e6b11c484c493b34cb1be967500e6f6897cf4f689fd

Download Submit
C:\Windows\SysWOW64\Oiagde32.exe

Filesize
80KB

MD5
5da373268b15976fe4b40b5c142993dc

SHA1
2ef6b04a80116fef1d2ffc6fda2ee3135b3f4ff0

SHA256
b09c0abd1d148d3bf21017df86e652fda5930bcf4926e06bc27daf695fe1234a

SHA512
41bb55d812c6e9c1edd0b3e6c61d393f71d279847fa4e1c66db231f645e9af8f5b46f10b32c55949d46c8cf77fe327c3dca7f32f0d5e1d370daa36397d4da4ab

Download Submit
C:\Windows\SysWOW64\Pbekii32.exe

Filesize
80KB

MD5
cd293351f73d72c5e63c8c47479b874d

SHA1
6d8e75aec10452d659eccf60c6ae3be1e2c7b1e3

SHA256
01fc11d1a07b3110157eb8ab38bd1074d1e7de38fcef0a002d04a159cad21fb5

SHA512
83d4bfe69f4d9e8355b0d66d87526fac8785a4bfa4babfbd6a50d2b6e994d45a890ba96d7cc5c1a232971376f423fdc0872706b9097196b6caf007d78a40ee31

Download Submit
memory/8-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/264-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/436-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/644-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/648-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/784-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/796-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/924-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1052-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1068-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1208-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1540-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1576-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1712-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1760-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1800-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1916-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1916-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2076-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2296-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2300-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2308-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2340-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2536-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2560-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2992-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3020-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3180-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3184-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3368-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3424-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3424-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3632-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3644-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3644-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3760-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3776-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3884-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3952-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3952-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3968-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3972-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4176-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4200-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4276-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4372-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4372-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4376-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4456-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4460-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4460-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4668-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4696-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5156-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5196-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5236-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5276-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5316-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5360-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5400-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5436-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5488-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5532-578-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5576-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5620-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads