294dd33b758aae64caf14d181c81e4d53178ae64cf81f31a0ae51a5008a27566

Analysis

max time kernel
114s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07b8a776376d84cda9033034865204f0N.exe
Size

181KB
MD5

07b8a776376d84cda9033034865204f0
SHA1

99dd97e4d49e348ca8429ce4acb7fa8a1d3533ac
SHA256

294dd33b758aae64caf14d181c81e4d53178ae64cf81f31a0ae51a5008a27566
SHA512

6d7a5d3b419f824215e58f8c23a0b632d0b8fe6d2d442e88730b86133b2c071b7a340d39888e96e3b09f517003646af2fec9c64380df2f281ffe08c5f41989ab
SSDEEP

3072:b3ZibclcQDrFDHZtOgxBOXXwwfBoD6N3h8N5G2qVUDrFDHZtOg:lpWo5tTDUZNSN58VU5tT

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipgkjlmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilphdlqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nodiqp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oblhcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mapppn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjoppf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilphdlqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpnakk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeocna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kplmliko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpochfji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojnfihmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjlcjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaajhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpbjfjci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhldbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojnfihmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbkml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgkgijg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhplpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kifojnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iogopi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klbnajqc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lomjicei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njedbjej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omalpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnakk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpclce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcdeeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Johggfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhldbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iijfhbhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeocna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhmbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pafkgphl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbepme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	07b8a776376d84cda9033034865204f0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipihpkkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Johggfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lepleocn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilfennic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpbjfjci.exe

Executes dropped EXE 64 IoCs

pid	Process
3380	Ilfennic.exe
2676	Iijfhbhl.exe
4748	Ilibdmgp.exe
2280	Iogopi32.exe
4676	Ihpcinld.exe
2636	Ipgkjlmg.exe
2500	Iahgad32.exe
5088	Ipihpkkd.exe
3836	Ilphdlqh.exe
4516	Iehmmb32.exe
1232	Jpnakk32.exe
420	Jifecp32.exe
3996	Jaajhb32.exe
2640	Jpbjfjci.exe
4944	Jeocna32.exe
2576	Johggfha.exe
3492	Jhplpl32.exe
4156	Jbepme32.exe
4684	Khbiello.exe
4444	Kbhmbdle.exe
5112	Kefiopki.exe
3892	Kplmliko.exe
1704	Klbnajqc.exe
1192	Kifojnol.exe
4764	Kabcopmg.exe
1900	Klggli32.exe
4076	Lepleocn.exe
4580	Lpepbgbd.exe
1864	Lhqefjpo.exe
3840	Lcfidb32.exe
3328	Ljpaqmgb.exe
4656	Lomjicei.exe
1440	Ljbnfleo.exe
4452	Lplfcf32.exe
3024	Lancko32.exe
4832	Lpochfji.exe
3880	Mapppn32.exe
2792	Mledmg32.exe
2872	Mcoljagj.exe
764	Mhldbh32.exe
5004	Mpclce32.exe
1680	Mbdiknlb.exe
3652	Mhoahh32.exe
3268	Mcdeeq32.exe
4492	Mqhfoebo.exe
1428	Mbibfm32.exe
2508	Mhckcgpj.exe
1692	Momcpa32.exe
3756	Njbgmjgl.exe
2224	Nmaciefp.exe
4312	Njedbjej.exe
2620	Nfldgk32.exe
4800	Nodiqp32.exe
692	Nimmifgo.exe
4344	Nmhijd32.exe
2672	Ncbafoge.exe
3868	Njljch32.exe
336	Nqfbpb32.exe
5132	Ojnfihmo.exe
5172	Ommceclc.exe
5212	Ofegni32.exe
5252	Oqklkbbi.exe
5300	Oblhcj32.exe
5340	Omalpc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jpnakk32.exe	Iehmmb32.exe
File opened for modification	C:\Windows\SysWOW64\Kplmliko.exe	Kefiopki.exe
File opened for modification	C:\Windows\SysWOW64\Ojnfihmo.exe	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Oblhcj32.exe	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Kjiqkhgo.dll	Iahgad32.exe
File opened for modification	C:\Windows\SysWOW64\Njbgmjgl.exe	Momcpa32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjfdfbb.exe	Pcpnhl32.exe
File created	C:\Windows\SysWOW64\Hjaqmkhl.dll	Jaajhb32.exe
File opened for modification	C:\Windows\SysWOW64\Pakdbp32.exe	Pjaleemj.exe
File opened for modification	C:\Windows\SysWOW64\Ommceclc.exe	Ojnfihmo.exe
File created	C:\Windows\SysWOW64\Kefiopki.exe	Kbhmbdle.exe
File opened for modification	C:\Windows\SysWOW64\Mqhfoebo.exe	Mcdeeq32.exe
File created	C:\Windows\SysWOW64\Ljgmjm32.dll	Oqoefand.exe
File created	C:\Windows\SysWOW64\Pjaleemj.exe	Pplhhm32.exe
File created	C:\Windows\SysWOW64\Jicchk32.dll	Ljpaqmgb.exe
File created	C:\Windows\SysWOW64\Kifojnol.exe	Klbnajqc.exe
File opened for modification	C:\Windows\SysWOW64\Lpochfji.exe	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Ildolk32.dll	Nfldgk32.exe
File opened for modification	C:\Windows\SysWOW64\Obqanjdb.exe	Oqoefand.exe
File created	C:\Windows\SysWOW64\Pcbkml32.exe	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Fknofqcc.dll	Pjlcjf32.exe
File created	C:\Windows\SysWOW64\Klbnajqc.exe	Kplmliko.exe
File created	C:\Windows\SysWOW64\Johggfha.exe	Jeocna32.exe
File created	C:\Windows\SysWOW64\Mjjkejin.dll	Jeocna32.exe
File opened for modification	C:\Windows\SysWOW64\Kifojnol.exe	Klbnajqc.exe
File opened for modification	C:\Windows\SysWOW64\Lcfidb32.exe	Lhqefjpo.exe
File created	C:\Windows\SysWOW64\Bfmpaf32.dll	Obnehj32.exe
File created	C:\Windows\SysWOW64\Pjjfdfbb.exe	Pcpnhl32.exe
File created	C:\Windows\SysWOW64\Iahgad32.exe	Ipgkjlmg.exe
File created	C:\Windows\SysWOW64\Fjohgj32.dll	Klbnajqc.exe
File created	C:\Windows\SysWOW64\Lpochfji.exe	Lhgkgijg.exe
File created	C:\Windows\SysWOW64\Njljch32.exe	Ncbafoge.exe
File created	C:\Windows\SysWOW64\Pjlcjf32.exe	Pcbkml32.exe
File opened for modification	C:\Windows\SysWOW64\Pciqnk32.exe	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Iehmmb32.exe	Ilphdlqh.exe
File created	C:\Windows\SysWOW64\Ilfennic.exe	07b8a776376d84cda9033034865204f0N.exe
File created	C:\Windows\SysWOW64\Naagioah.dll	Nmaciefp.exe
File created	C:\Windows\SysWOW64\Qckcba32.dll	Omfekbdh.exe
File opened for modification	C:\Windows\SysWOW64\Kefiopki.exe	Kbhmbdle.exe
File created	C:\Windows\SysWOW64\Jaajhb32.exe	Jifecp32.exe
File created	C:\Windows\SysWOW64\Mjpnkbfj.dll	Lhgkgijg.exe
File opened for modification	C:\Windows\SysWOW64\Pafkgphl.exe	Pjlcjf32.exe
File opened for modification	C:\Windows\SysWOW64\Ihpcinld.exe	Iogopi32.exe
File opened for modification	C:\Windows\SysWOW64\Jpbjfjci.exe	Jaajhb32.exe
File opened for modification	C:\Windows\SysWOW64\Ljpaqmgb.exe	Lcfidb32.exe
File created	C:\Windows\SysWOW64\Ommceclc.exe	Ojnfihmo.exe
File created	C:\Windows\SysWOW64\Dagdgfkf.dll	Ipgkjlmg.exe
File created	C:\Windows\SysWOW64\Nmhijd32.exe	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Iijfhbhl.exe	Ilfennic.exe
File opened for modification	C:\Windows\SysWOW64\Jifecp32.exe	Jpnakk32.exe
File created	C:\Windows\SysWOW64\Kabcopmg.exe	Kifojnol.exe
File created	C:\Windows\SysWOW64\Mbibfm32.exe	Mqhfoebo.exe
File created	C:\Windows\SysWOW64\Dndfnlpc.dll	Oblhcj32.exe
File created	C:\Windows\SysWOW64\Keoaokpd.dll	07b8a776376d84cda9033034865204f0N.exe
File created	C:\Windows\SysWOW64\Kplmliko.exe	Kefiopki.exe
File created	C:\Windows\SysWOW64\Mqhfoebo.exe	Mcdeeq32.exe
File opened for modification	C:\Windows\SysWOW64\Nodiqp32.exe	Nfldgk32.exe
File created	C:\Windows\SysWOW64\Nnkoiaif.dll	Nqfbpb32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbkml32.exe	Pjjfdfbb.exe
File opened for modification	C:\Windows\SysWOW64\Iahgad32.exe	Ipgkjlmg.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Qglobbdg.dll	Ilphdlqh.exe
File created	C:\Windows\SysWOW64\Hjcakafa.dll	Ljbnfleo.exe
File created	C:\Windows\SysWOW64\Mcdeeq32.exe	Mhoahh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5368	6140	WerFault.exe	178

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpochfji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pakdbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpbjfjci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Johggfha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ommceclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omalpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhoahh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mledmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodiqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njljch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepleocn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljbnfleo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafkgphl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplhhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhldbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmhijd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khbiello.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcoljagj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnehj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjlcjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjaleemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07b8a776376d84cda9033034865204f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iijfhbhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljpaqmgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lomjicei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mapppn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojemig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omfekbdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kifojnol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kabcopmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhqefjpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbafoge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipgkjlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbnajqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obqanjdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpnhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbkml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pififb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbepme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njedbjej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplmliko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplfcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lancko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqhfoebo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnakk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeocna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhplpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klggli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpclce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbibfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfldgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nimmifgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofegni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihpcinld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iahgad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oblhcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcdeeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjfdfbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pciqnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iehmmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefiopki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcfidb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgkgijg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpclce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcnqjjo.dll"	Pjoppf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njedbjej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nodiqp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjkejin.dll"	Jeocna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnele32.dll"	Kabcopmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mapppn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndfnlpc.dll"	Oblhcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ommceclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qckcba32.dll"	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilphdlqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Johggfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klbnajqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphnbpql.dll"	Kifojnol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmhijd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jifecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpchk32.dll"	Johggfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhmbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lancko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgccelpk.dll"	Mcdeeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihpcinld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qglobbdg.dll"	Ilphdlqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemghi32.dll"	Mpclce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljgmjm32.dll"	Oqoefand.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khbiello.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deaiemli.dll"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilfennic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iijfhbhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcfidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlbgmif.dll"	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iehmmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeocna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kifojnol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhgkgijg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mapppn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcakafa.dll"	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhldbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	07b8a776376d84cda9033034865204f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chgnfq32.dll"	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnndji32.dll"	Ofegni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihpcinld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iehmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlqeenhm.dll"	Kefiopki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagioah.dll"	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klggli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqhdcii.dll"	Mhckcgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilibdmgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dagdgfkf.dll"	Ipgkjlmg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 3380	4356	07b8a776376d84cda9033034865204f0N.exe	91
PID 4356 wrote to memory of 3380	4356	07b8a776376d84cda9033034865204f0N.exe	91
PID 4356 wrote to memory of 3380	4356	07b8a776376d84cda9033034865204f0N.exe	91
PID 3380 wrote to memory of 2676	3380	Ilfennic.exe	92
PID 3380 wrote to memory of 2676	3380	Ilfennic.exe	92
PID 3380 wrote to memory of 2676	3380	Ilfennic.exe	92
PID 2676 wrote to memory of 4748	2676	Iijfhbhl.exe	93
PID 2676 wrote to memory of 4748	2676	Iijfhbhl.exe	93
PID 2676 wrote to memory of 4748	2676	Iijfhbhl.exe	93
PID 4748 wrote to memory of 2280	4748	Ilibdmgp.exe	94
PID 4748 wrote to memory of 2280	4748	Ilibdmgp.exe	94
PID 4748 wrote to memory of 2280	4748	Ilibdmgp.exe	94
PID 2280 wrote to memory of 4676	2280	Iogopi32.exe	95
PID 2280 wrote to memory of 4676	2280	Iogopi32.exe	95
PID 2280 wrote to memory of 4676	2280	Iogopi32.exe	95
PID 4676 wrote to memory of 2636	4676	Ihpcinld.exe	96
PID 4676 wrote to memory of 2636	4676	Ihpcinld.exe	96
PID 4676 wrote to memory of 2636	4676	Ihpcinld.exe	96
PID 2636 wrote to memory of 2500	2636	Ipgkjlmg.exe	97
PID 2636 wrote to memory of 2500	2636	Ipgkjlmg.exe	97
PID 2636 wrote to memory of 2500	2636	Ipgkjlmg.exe	97
PID 2500 wrote to memory of 5088	2500	Iahgad32.exe	99
PID 2500 wrote to memory of 5088	2500	Iahgad32.exe	99
PID 2500 wrote to memory of 5088	2500	Iahgad32.exe	99
PID 5088 wrote to memory of 3836	5088	Ipihpkkd.exe	100
PID 5088 wrote to memory of 3836	5088	Ipihpkkd.exe	100
PID 5088 wrote to memory of 3836	5088	Ipihpkkd.exe	100
PID 3836 wrote to memory of 4516	3836	Ilphdlqh.exe	101
PID 3836 wrote to memory of 4516	3836	Ilphdlqh.exe	101
PID 3836 wrote to memory of 4516	3836	Ilphdlqh.exe	101
PID 4516 wrote to memory of 1232	4516	Iehmmb32.exe	102
PID 4516 wrote to memory of 1232	4516	Iehmmb32.exe	102
PID 4516 wrote to memory of 1232	4516	Iehmmb32.exe	102
PID 1232 wrote to memory of 420	1232	Jpnakk32.exe	103
PID 1232 wrote to memory of 420	1232	Jpnakk32.exe	103
PID 1232 wrote to memory of 420	1232	Jpnakk32.exe	103
PID 420 wrote to memory of 3996	420	Jifecp32.exe	105
PID 420 wrote to memory of 3996	420	Jifecp32.exe	105
PID 420 wrote to memory of 3996	420	Jifecp32.exe	105
PID 3996 wrote to memory of 2640	3996	Jaajhb32.exe	106
PID 3996 wrote to memory of 2640	3996	Jaajhb32.exe	106
PID 3996 wrote to memory of 2640	3996	Jaajhb32.exe	106
PID 2640 wrote to memory of 4944	2640	Jpbjfjci.exe	107
PID 2640 wrote to memory of 4944	2640	Jpbjfjci.exe	107
PID 2640 wrote to memory of 4944	2640	Jpbjfjci.exe	107
PID 4944 wrote to memory of 2576	4944	Jeocna32.exe	108
PID 4944 wrote to memory of 2576	4944	Jeocna32.exe	108
PID 4944 wrote to memory of 2576	4944	Jeocna32.exe	108
PID 2576 wrote to memory of 3492	2576	Johggfha.exe	109
PID 2576 wrote to memory of 3492	2576	Johggfha.exe	109
PID 2576 wrote to memory of 3492	2576	Johggfha.exe	109
PID 3492 wrote to memory of 4156	3492	Jhplpl32.exe	110
PID 3492 wrote to memory of 4156	3492	Jhplpl32.exe	110
PID 3492 wrote to memory of 4156	3492	Jhplpl32.exe	110
PID 4156 wrote to memory of 4684	4156	Jbepme32.exe	111
PID 4156 wrote to memory of 4684	4156	Jbepme32.exe	111
PID 4156 wrote to memory of 4684	4156	Jbepme32.exe	111
PID 4684 wrote to memory of 4444	4684	Khbiello.exe	112
PID 4684 wrote to memory of 4444	4684	Khbiello.exe	112
PID 4684 wrote to memory of 4444	4684	Khbiello.exe	112
PID 4444 wrote to memory of 5112	4444	Kbhmbdle.exe	113
PID 4444 wrote to memory of 5112	4444	Kbhmbdle.exe	113
PID 4444 wrote to memory of 5112	4444	Kbhmbdle.exe	113
PID 5112 wrote to memory of 3892	5112	Kefiopki.exe	114

C:\Users\Admin\AppData\Local\Temp\07b8a776376d84cda9033034865204f0N.exe
"C:\Users\Admin\AppData\Local\Temp\07b8a776376d84cda9033034865204f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\SysWOW64\Ilfennic.exe
  C:\Windows\system32\Ilfennic.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\SysWOW64\Iijfhbhl.exe
    C:\Windows\system32\Iijfhbhl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\Ilibdmgp.exe
      C:\Windows\system32\Ilibdmgp.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2280
      - C:\Windows\SysWOW64\Ihpcinld.exe
        
        C:\Windows\system32\Ihpcinld.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Iahgad32.exe
        
        C:\Windows\system32\Iahgad32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Ilphdlqh.exe
        
        C:\Windows\system32\Ilphdlqh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:420
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Jhplpl32.exe
        
        C:\Windows\system32\Jhplpl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        51⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:336
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5340
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6140 -s 404
        83⤵
        Program crash
        
        PID:5368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4292,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:8
1⤵
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6140 -ip 6140
1⤵
PID:5260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iahgad32.exe

Filesize
181KB

MD5
5b992091948d820a530d712f292bea4f

SHA1
882148dd5b0b5329b9c08258dbc0512aeb93c4fa

SHA256
fd15c3a6a0bdf60c2e03bb0a7886338a428379b82ccf79f9c01dad8be4171af3

SHA512
48f348de7fbadeee2129eb021fd4c1a03bee388ed325dd825dc29117a897fc3dbbe82cc16b16f5f8b38e72cb49cadbfca0eb41cae6ec5119d135235b35bedd18

Download Submit
C:\Windows\SysWOW64\Iehmmb32.exe

Filesize
181KB

MD5
fe6a4632e90f7a2f045b2f717d0aa109

SHA1
8bca5860fdb4e095001b818d96c94380a30aa610

SHA256
b2aa9c23582727cf9b5c70ff3dcc218d0cf5bea7351a83a5b5df4208db8438ae

SHA512
45a5a8bc771744d6a681629bdbde13cf15be65e6ee783bc6f66de423301f4799db2893a7a4cbd6e80a67283bc1cc7ad60accf04c72da43e7bfb9dccde92149b4

Download Submit
C:\Windows\SysWOW64\Ihpcinld.exe

Filesize
181KB

MD5
1c4761921720b436c05e8e929f9b569b

SHA1
cedb337655bb5096148c0e5cdfbc30ad4ef40934

SHA256
0ce8050523707e774b151b3cfd228923ae27ec2a9229bd892f5e11e5a01fa20c

SHA512
05c2b5c1c8b60965e438ded6d4c154fffc057866d91772f892158d8279fedb93eb2460b5a227a7dfbfc465a7966796281612616ab2a115d322745edb59390815

Download Submit
C:\Windows\SysWOW64\Iijfhbhl.exe

Filesize
181KB

MD5
b083a3c105ef36f3110b055ce7f355df

SHA1
be2f7669a95c5b14a14d9893f5dee16d44c67573

SHA256
9358ca4d0cd9a46465000f57741e0f65ea76bba60dad7cce3f7a8c36902ad580

SHA512
5406f0384650810c75512142ab24cd9f5f3959ece5b8500d99c4d6774dd3ffc7f6b0012f73c41a1d4572c815d20a6df789efcbdd02c247ac8ac5c6e10dbb7d57

Download Submit
C:\Windows\SysWOW64\Ilfennic.exe

Filesize
181KB

MD5
7f0fda7ede9ec681f2567015141566ff

SHA1
a922602ccf702cd75e2939b6380dfbae20d7a065

SHA256
1b29fa4080df4d29e1533179eace696e64fbb3a7fb4f89b03d682c95a9a6e6f2

SHA512
88881a4c25e287eb1d8a456027c0d5c2e9a13c8acc637a9390cdfea41032f767e2a48cc3eb8090e247a198a88f439231a7837a5f8f04090fd8e878f5c4cc4bcc

Download Submit
C:\Windows\SysWOW64\Ilibdmgp.exe

Filesize
181KB

MD5
46f87d5d420ade62a55c7c7b3af14323

SHA1
37e262b829d367417c814ead67fbb40ffc20e0d5

SHA256
362f2c82f23456ac5b31dc0bdd6e4583ea4a83d7a476281a53f7bb4d01689808

SHA512
15ed883b7eb417b0d6102eb8aad9af470d1b4269ee7c44bc6b7f0ead5e337de0a375be9ecf19fcfc43685efc8dba251594314cb35da4584783acc6100ca90bdf

Download Submit
C:\Windows\SysWOW64\Ilphdlqh.exe

Filesize
181KB

MD5
0bafefce548183571848cedb1814d742

SHA1
7e0ed45bf612b99c04812f9c5897f09924d92d7a

SHA256
e8565171d5592d3ec0f21f03097f0c6c5e81a230f870dbecee0786a600162874

SHA512
ebe47d937f9e501858719217f2cc605ba762a54d1b89edca5e6195aa807c572febd0829c907e2ab42bb75524823e67bf03bc728fd66a0d8b91c7d5228d52503a

Download Submit
C:\Windows\SysWOW64\Iogopi32.exe

Filesize
181KB

MD5
7c00e3b9e0cfb8a8c65c4000c044f2c5

SHA1
f889b3c6798687a5503fac5f232a8047248cf93e

SHA256
d1bf1ae51f9418ecfcd7b1605f146e87bab38d39f51e1da0775d26812cdbdd30

SHA512
8bcd2f4273b868165662ad2402f1030d4eb0823611153ba61383ce5481241c5f9b1faa4d46ba7fd14645e2a50796f32f6358b95abe6f9c288331ee92d0afa575

Download Submit
C:\Windows\SysWOW64\Ipgkjlmg.exe

Filesize
181KB

MD5
71a1b58c0db96df59beea38e7bb05515

SHA1
3e16984dee6b8c62eb49fd9867038605a4c8901d

SHA256
5d944b209d96b5bf06204cc3ebc5452d827345344df0b1c6672ab0663e5adb63

SHA512
d6c796c385a1a4c008f6b7aae73b9a3440ec538be76e7047076d14063c9cc7c4c9506195519ef856fc912c13c1a5c675d48de3642c2f0e87feb6e752295dcbd8

Download Submit
C:\Windows\SysWOW64\Ipihpkkd.exe

Filesize
181KB

MD5
f21294dc04bb2e4888e05490d3aaec4b

SHA1
5bcd884985b8260a0e16127d08f0016133da07c5

SHA256
fb18e175e2e797d84ab5c7538de1f39121a1ffe1711425be61957985d654e3ba

SHA512
4bb2f8dc281b5cb458d2c81c1596b296b28316496fabcb829f0616949589d59d1d0387eee9927d5823efc92d62028fd41e68bd9625e5cc19e531588a61c95272

Download Submit
C:\Windows\SysWOW64\Jaajhb32.exe

Filesize
181KB

MD5
3653e3b67cc35fa12b3bd42642db61ee

SHA1
66603363ead737291cf880d91b947d6b58dd3f52

SHA256
9c8fb2cdab587ef9cdb5e0103ff85d06b96f7eaed17a29475ae432c9600f235d

SHA512
b87a487aef8e23a30ef1111371a1ed24e0025ded77d49cedabb46d6b7df89eaf305666b714ed2781b8dbe5a94ff3a8874cbe82ea5fd1309f1f8c3f52f02cc7c1

Download Submit
C:\Windows\SysWOW64\Jbepme32.exe

Filesize
181KB

MD5
437223fcc828fb53fa16c106dd308aaf

SHA1
048d1668e5db5706512e616967cb0efd1fd305d2

SHA256
ffcb8c6884e267d2e39a18196a27af65a17ee475d33b124d832cb2a50f01ca84

SHA512
adbf18e52cb062e3a7a2216b3c79c18971e689ece1102e22a30dbc5c5634d7fa6acc669f6f74528c70f61f2c4f3210e11e26e3e5c51f0a930f24ee6e052dedfa

Download Submit
C:\Windows\SysWOW64\Jeocna32.exe

Filesize
181KB

MD5
d4c0fbe83c211d31ab47d41f0c5d83bf

SHA1
74eab492a723c46974e06c5c9456b8f64ff4cb69

SHA256
d0d7bb6763ab455b6ad4b3a2d907f14cffaba9229359ed9093a93ee3339ec18a

SHA512
139e97312ad00983a22e03fa9c8763f05b0afcc38ab6a1cda2f4a479edb35f48b8188d2fda1013a5d67bb6a780094d454bb9127fcd920077627df35fa3d5ddbd

Download Submit
C:\Windows\SysWOW64\Jhplpl32.exe

Filesize
181KB

MD5
6fe0325c64f275c2bb24e15e44c5a01f

SHA1
cec5eefb9f005bcce0c279f54a35320e2ab55c59

SHA256
e4932c5cdcfb93d8f70f069aef76f655eef02036cb001a39ffcd176660920f9d

SHA512
54bd5d652b51af66e5274464e51fb6819b9d3cd6b9764ab6674e024284fda5be94500a33224ea4c5441006a1b853e029e9ea2c8738474051a726ed032a5ee6b8

Download Submit
C:\Windows\SysWOW64\Jifecp32.exe

Filesize
181KB

MD5
01017d06b0dd5b1ab3f95b1129fe9529

SHA1
662f0a40760b3c6ab68261aead6026eec8b3ff48

SHA256
ca74bb7fa83ef864ebb6ecca45ec9d647f90d5fee72233a82f2fa2edc15b0fea

SHA512
1875a780908e54866cf0cc4a9e6e200df91a866a6eae60f63e925d02d42a44e50f2f3de7713cd50e2d842e045e7b0494290998ffcaaf154552ad672a8cc3f8d8

Download Submit
C:\Windows\SysWOW64\Johggfha.exe

Filesize
181KB

MD5
28a0b620a44368cf12d447c9d1380c04

SHA1
447186aacac7847ec573a711706215f20335f169

SHA256
63a18249bc1b0575acf485f1c981ccda9c5a9b058507f04414e7921a0a10aa4b

SHA512
c17462f19bec13880fe4175f4cf85d274bb37cf0f8b13578c64bcd0ff93b25b58ac1c22e51861f606f6bdf63c565c8e98fe1c63f0497a62af9c06a3a4e34ddb4

Download Submit
C:\Windows\SysWOW64\Jpbjfjci.exe

Filesize
181KB

MD5
7f7cf286ab4ec4f97a1640ae82b5a293

SHA1
2f85b56fe4035ebc8100fccae957e2f8e3ad3de4

SHA256
c98f0dc68cfeec7d9ca59ae8938b4d4014eed3e44ed6f18cd2a21a954a5c7d35

SHA512
22036a86c7821ee283faa783f3b3c599f645be912f8322c9985f7c59b58d3f02066b31b7bd0bed5d7dbc6b617cf553beb0a3580290ad73fe172b319b4493152e

Download Submit
C:\Windows\SysWOW64\Jpnakk32.exe

Filesize
181KB

MD5
ec3894be1f811818e1e390da93d1da97

SHA1
a10f4dbe98dfe93b24abcfc1765f68d89bd67771

SHA256
0d1920d546e172f8225fbfd930e77481e186c7502c4ebb472db914447bf4750d

SHA512
bdc19c956cd0eb64ea95da889f1d969ad39e2bb4713332e0c6a4a78b9860d73c27bf743827a1224d95bc2cfe27a52bc32767c02244a69c4cea73bbb9d4856452

Download Submit
C:\Windows\SysWOW64\Kabcopmg.exe

Filesize
181KB

MD5
e451ca4c71b46fe4a0098bb17004e377

SHA1
20d77f0b4252d071debe71c448c0643e9d68f834

SHA256
cdc5895dfadc85e9f713cd0b8dd40796056908352e1fe30c05ae3a0e5747c684

SHA512
38cdb221ca6469691efb49bea3fe2a9405772ee39ea37b6977d7f594d1c12192a1a6237c6949c87a8bc35b050e93d909d49917ab1a3337fdadab18af99096df0

Download Submit
C:\Windows\SysWOW64\Kbhmbdle.exe

Filesize
181KB

MD5
ac8f3d73a44de9faa8460524b6f35671

SHA1
4b917f78a2ec9f448bcec56dfa8f0505e252d295

SHA256
760be0232aaca2a4783706f087d2bf8b1365a3cf868f5cc409a8fb42c6979e93

SHA512
f65e0b690e6cbe016048f36aeede6a94e7f6920b4e9d984babb0b720f1deea3969ca70b79ad15f63f5cf1bb07eeeba4464236e937bc56e1a1bc715aaa09b8728

Download Submit
C:\Windows\SysWOW64\Kefiopki.exe

Filesize
181KB

MD5
5fc92aaed250e11e00ccff71a10ffd86

SHA1
bc26bb236ceb7c5ec5c213bd4fffcf66df169cd9

SHA256
4b122592126133f4729699571fffa87ad33090778806853513bd7cb18e40d07f

SHA512
c3f7896a43cbe643ce71503a9c70d04b01431a7241373c0ce0e4262791851a08ec4ea167a9e3781f5650ca3305646a727bd360d4c6937ec28dc9122abf822815

Download Submit
C:\Windows\SysWOW64\Khbiello.exe

Filesize
181KB

MD5
48d464bb8e28ead750404766095c2be4

SHA1
2b6b045caf84e1dfec2edbc948becb1e51c44fb2

SHA256
86feaec5e641f5911a977044ec8ecca3d610b622c8ed20159e98edc1f40ff3f8

SHA512
b8cb1174a2764329ed7397ba8f740f2a53ea077f820484ffba22f41fc4703470351260543e1ad3fd6c9aeabd147d4ddcccb9b68e28940f949fbc6ad8314029b1

Download Submit
C:\Windows\SysWOW64\Kifojnol.exe

Filesize
181KB

MD5
acff4e86aef7894000fa22a698ae5823

SHA1
43e5c6edfb3514ac1f382bb2852f0f6e188e15a5

SHA256
f6f999389d5b1b0653c1a8e47f07dfa25b290ed7c15f87481c71aa40b5561103

SHA512
945964e35536a2bded5277f3a1f702373cf1fc076cd75b0e63609c41e7b7541dd4a6d3793465624cb25d78ec578098ee0a5f902244c83afd58436ae9d43c5c76

Download Submit
C:\Windows\SysWOW64\Klbnajqc.exe

Filesize
181KB

MD5
c9207010ac29d55f67b205d8ca2fbba4

SHA1
b26b01d921d1a6ac99feeb339f86f52277cf450f

SHA256
9297afbacea99e07a0f6627b2efc035502b465f817033d9b16fc76ef1805a462

SHA512
68b881d754895b885da1fc3e67f1d80cb1a225a188ecb711f38c5ad83903878bbbd262790058e00b0bf6bbc2d9c1fa5797c81fca14d7d215b8c062d99ec76930

Download Submit
C:\Windows\SysWOW64\Klggli32.exe

Filesize
181KB

MD5
e4ed50acf5450a0f2ff0a3700cc71e48

SHA1
ac4858380209bd8decb9f3fa7e4ea902161c6055

SHA256
760dd622af4454f26cd1e8a27b2842e1c417a14b6067b5fff0d02163bd039bbf

SHA512
b4c9b4c750be4d6282aee4e1d6ff950f55e7c5b8e3b66374b32f327a0b6674a460052424b7d46ba93e57db3ffc765ed167ea15df4930a055e386002e9e9ca308

Download Submit
C:\Windows\SysWOW64\Kplmliko.exe

Filesize
181KB

MD5
b16fe66c6fb196831149c24700a9f749

SHA1
b660c74f54df999a1e270b4019f858ea6f1a4a95

SHA256
56f9581eebf78c2f8758c3000eaccb84e438e0ab7d0498a49e6e58d99490c3f2

SHA512
692b6caae5c49d0706ddcc53af8e0fdcec98ef35699ebdbb7f1cd4109cc98c47051b3b6e44d7fa415a6b55094b8c0961e898cf57326ca8a459a7911c2a18012d

Download Submit
C:\Windows\SysWOW64\Lcfidb32.exe

Filesize
181KB

MD5
8177f130f01fba0f466cf8c6be229b0e

SHA1
f5e81e8e4eccb310b6b3985d9b7edc1b63ea000a

SHA256
453c5582c6114117d00d07159b84dc63a5d4417c049601cc721832f5dfc20fc6

SHA512
21311ef73c33c5fcc43da6264c3df09bb8c260ebd39b98fadb433a2827ea035a47cf0af09f783e5e3e655ea2e623a9bd7dc9580104e9696462fb9b39a2197699

Download Submit
C:\Windows\SysWOW64\Lepleocn.exe

Filesize
181KB

MD5
348bc217e43c1186995a1726ed01658b

SHA1
31e06d7781cd123c02ed9a6f650d9be59b5bfe80

SHA256
276ae0a56ebc0dcbcff0dd19c0987e603529c12a2a402d8d00b2f558e6ddba18

SHA512
de7d05282b2f033ed96768692435472d606f2e1ee8531722faed94892d4261c3fff1d0cac7c4ee94735bb03fc2faf284536914da85dbaf5ea3a91884d43ffbe6

Download Submit
C:\Windows\SysWOW64\Lhqefjpo.exe

Filesize
181KB

MD5
467ae30a58a33ccd9ea26b1e947685e1

SHA1
12f6ce2c268ad1e3c53400e5ce8d464981422edb

SHA256
b491fd2f1137ea6db9eb8fe188009a6e4d786c1757ed429af965c65fb8206d7d

SHA512
60e8428e8429befdddacce0933d7628b004e46a4f79fe89db9cc29b736c0029716545f4e3726cda3ea4190f848043c8fd4bc41dc26572805f0c57fc9eecba028

Download Submit
C:\Windows\SysWOW64\Ljpaqmgb.exe

Filesize
181KB

MD5
94e1c3617128848a5b9b95193a22f0c8

SHA1
fca1117ac479f0c5f30e35f79763b06ed6e3615b

SHA256
6acdf6a2b93b3e7f545e01f6df1a0a046452cf3da555c17932396a105f6ed877

SHA512
85dacc9068ead3a24831b3bcdb85e5dc5fe4c79d50e846358dc77fdc04f406a4d88dcb7e5044589f581d6ef740d97793700af494e065504127effadabc045487

Download Submit
C:\Windows\SysWOW64\Lomjicei.exe

Filesize
181KB

MD5
af1036c159748ceac94cac066f6373cf

SHA1
fdb8fe665663ee76b0a798853d3b114737ab29dc

SHA256
188b8664839a386b1495e1cb31943fd79e1ced33ab5b6f0cf7cdd7913ea3f7d4

SHA512
0756de449df0a2c03e774ce331ea751a7cac0d9655ea44d060a1c0570da05fad43e7c69b6a5f7c9c06da1a0756d79293546de16d484741c41ed1e7fb7aaa180f

Download Submit
C:\Windows\SysWOW64\Lpepbgbd.exe

Filesize
181KB

MD5
0ccc117097cca3b95c6b3bf9ca291ee6

SHA1
5fcc10821c1699afa6a3323f57ca6981dc517647

SHA256
7d0c7e0ad78dafb564d16193aa21102eb68ac6cf9ae02df2331a630fd46d92ad

SHA512
8d09fed71dcf50f0c94309af03fbe9499ae4d493ee9f02a6f40103ceb35854a895890fda407e48a31b77fe40020e08530a2f5019d5cd9297375c37afd89d315d

Download Submit
C:\Windows\SysWOW64\Lplfcf32.exe

Filesize
181KB

MD5
80a3eb9a7178b78a9fd56088d8ffc60d

SHA1
48fac2cf0e8ed629846d8e255b338f21ca441347

SHA256
b06ef1abc0fe81c546aeed9cb49868c7451ecab105e64fe9c153cf34c6dfdcd4

SHA512
ee9c6ef36cc3fb690d3371d87aad8ded68d7274d2834bf6968803b8a72084e89fc73d408a814a1b57ffb27bb484a6679ace5a5f28ba502b26470914e3c9d0d25

Download Submit
C:\Windows\SysWOW64\Mapppn32.exe

Filesize
181KB

MD5
42c37a47f722963e1e71e76b92ed21ca

SHA1
b28eb8a10065db09178e5b3a46d0dc05ddda5227

SHA256
169175d720a33b1d50e54c54a54c713f5e770be958fcd4c1c9a06944fc15619d

SHA512
82e3a3d7a3c19e806bd7a9f363eba60719d8a6951b5d0bc81f2220e5d7b93af20db3f36fed340d5f47144171c6aff1a69b0dddd4c06fc72b1c4f8aebd0fa0a99

Download Submit
C:\Windows\SysWOW64\Momcpa32.exe

Filesize
181KB

MD5
f249e5dc82a02725138ade6aca691f92

SHA1
c9c46b313a78deb9a89e9275a1741eae74027e36

SHA256
29df3a8bf787a122fcc00dda39115fe76aeedebac9ec37bf288546af0616537a

SHA512
d124511d19dc49354b14d0154a33cb5123998ae279e8d9152a3819a56afac3cb4fdd1e4b7b917149b01e8d68bb21a43dd727c3c3cb5e8e6f42ec0ab205617a74

Download Submit
C:\Windows\SysWOW64\Oblhcj32.exe

Filesize
128KB

MD5
6568aa65137efc6eea6653fa351330fc

SHA1
fcfc64d1a666bb424608de84ecdba2afdf06a348

SHA256
2388519876bebd8c5eabbdea159768375a8ec4d96a6eaf8042ba231c05d9d95d

SHA512
0e71d4a0f2b4393a3b3f395f847d757ebf8150e854cfe50c4c25df223bf8ebbab0d7a54d044a752ebb79c62e05e91fbb44c5184506c1b80138b95f3bd80b6b90

Download Submit
C:\Windows\SysWOW64\Ommceclc.exe

Filesize
181KB

MD5
0f9cb9d34bcde8ce9de3ab810f2d1dc5

SHA1
dd069e7028b9029b94ccdd50202bd3316dd73e0a

SHA256
19c0b08dcc58d5b2f1aac2a291fb7dedeefd653a923005a3ca1d64ef1c64fe13

SHA512
11912fed4d2f0d85420885f95348eadb6f28977e1a784dc16fd24ba2e9048a5af47bb9dfcfd8f846d41076222530b9ff1ad661b7c1ef740c7b28fc3bc639e258

Download Submit
C:\Windows\SysWOW64\Pififb32.exe

Filesize
181KB

MD5
22ab4aefe0490cef62df9564c25b55b3

SHA1
b297dde4f3a889bf4b2e8777fdccb5a6d61ba53d

SHA256
4109091233f7d65b54bd55d663d79432a8e8668cb5855f655dbd718273bfc702

SHA512
c010ce5fd0744f7c701d1c7cd274c0a8a31699aab584b0f1fc338567c16e66451dd8d3dfbc8703ed9ffcdb33f538a8057ee87196d4b06987f9540d2ad9eae7e2

Download Submit
memory/336-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/420-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/692-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/764-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1232-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1428-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1440-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2500-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2508-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-51-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2640-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-569-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3268-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3328-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3380-546-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3380-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3492-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3636-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3756-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3836-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3840-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3868-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3880-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3892-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3996-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4076-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4156-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4344-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4356-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4356-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4444-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4452-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4656-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4684-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4764-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4800-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4832-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5004-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5088-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5132-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5172-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5212-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5252-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5300-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5340-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5384-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5424-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5464-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5464-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5508-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5508-568-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5564-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5564-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5604-564-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5604-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5648-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5648-562-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5700-560-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5700-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5756-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5756-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5812-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5856-515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5932-556-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5932-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5996-554-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5996-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6056-537-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6088-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6088-540-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6140-550-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6140-547-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads