c04564cef8e979bf29ecc7f8beb0f5d9afceee349e7d5b5dfa071b576cc28ee3

Analysis

max time kernel
125s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c04564cef8e979bf29ecc7f8beb0f5d9afceee349e7d5b5dfa071b576cc28ee3.exe
Size

64KB
MD5

a232f7dc11798543d9d8c32818aa2bf4
SHA1

512efbf6223b9213cb327e36abf5cd6ba94982cc
SHA256

c04564cef8e979bf29ecc7f8beb0f5d9afceee349e7d5b5dfa071b576cc28ee3
SHA512

051ac8c79f5b670c99ed543a77840543e3ac313bdb1e2656d3556a4df0c39ce803f8b4b16892ab20e8c1d35f042bb41e912eba214f149fa0d78e68007e405824
SSDEEP

1536:VFlgdobV+bcCXUXXqqqbdwO+/WyK3rPFW2iwTbW:V4drH+/X+FW2VTbW

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iialhaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmcpoedn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbekii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlgoek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laiipofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcaipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgkan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihmfco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlgoek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhegig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iondqhpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klndfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplmliko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieccbbkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jekjcaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llnnmhfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iialhaad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khlklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqcejcha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilnlom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klekfinp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhoeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jadgnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlikkkhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhgiim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lafmjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhegig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nijqcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c04564cef8e979bf29ecc7f8beb0f5d9afceee349e7d5b5dfa071b576cc28ee3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iimcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laiipofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhldbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oiccje32.exe

Executes dropped EXE 64 IoCs

pid	Process
1748	Ihmfco32.exe
1496	Iogopi32.exe
3628	Iafkld32.exe
3512	Iimcma32.exe
4384	Ilkoim32.exe
3668	Ibegfglj.exe
3448	Ieccbbkn.exe
1336	Ilnlom32.exe
5104	Ibgdlg32.exe
4252	Iialhaad.exe
536	Iondqhpl.exe
1004	Jhgiim32.exe
3052	Joqafgni.exe
4016	Jekjcaef.exe
2884	Jocnlg32.exe
980	Jaajhb32.exe
5100	Jlgoek32.exe
3204	Jadgnb32.exe
4868	Jikoopij.exe
3780	Jlikkkhn.exe
2980	Jbccge32.exe
1396	Jimldogg.exe
2720	Jbepme32.exe
232	Khbiello.exe
1068	Klndfj32.exe
1804	Kibeoo32.exe
3732	Kplmliko.exe
1892	Keifdpif.exe
4120	Koajmepf.exe
1304	Kifojnol.exe
3404	Klekfinp.exe
2800	Khlklj32.exe
2992	Klggli32.exe
764	Kofdhd32.exe
4960	Lhnhajba.exe
2828	Lafmjp32.exe
4428	Lllagh32.exe
3876	Laiipofp.exe
3016	Llnnmhfe.exe
2948	Lchfib32.exe
4500	Ljbnfleo.exe
2576	Loofnccf.exe
3504	Ljdkll32.exe
4364	Lpochfji.exe
2352	Mapppn32.exe
3432	Mhjhmhhd.exe
1508	Mledmg32.exe
2860	Mablfnne.exe
4004	Mhldbh32.exe
4628	Mofmobmo.exe
4692	Mcaipa32.exe
1620	Mljmhflh.exe
4420	Mhanngbl.exe
4488	Mbibfm32.exe
1912	Mlofcf32.exe
1808	Nhegig32.exe
3168	Nfihbk32.exe
2984	Nmcpoedn.exe
3144	Nijqcf32.exe
1588	Ncpeaoih.exe
3536	Njjmni32.exe
1400	Nqcejcha.exe
1800	Ncbafoge.exe
1044	Niojoeel.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pkbcikkp.dll	Mhjhmhhd.exe
File created	C:\Windows\SysWOW64\Mablfnne.exe	Mledmg32.exe
File created	C:\Windows\SysWOW64\Niojoeel.exe	Ncbafoge.exe
File created	C:\Windows\SysWOW64\Oqmhqapg.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Omfekbdh.exe	Obqanjdb.exe
File created	C:\Windows\SysWOW64\Iokifhcf.dll	Jocnlg32.exe
File opened for modification	C:\Windows\SysWOW64\Jlikkkhn.exe	Jikoopij.exe
File created	C:\Windows\SysWOW64\Pjaleemj.exe	Pplhhm32.exe
File created	C:\Windows\SysWOW64\Jaajhb32.exe	Jocnlg32.exe
File opened for modification	C:\Windows\SysWOW64\Lhnhajba.exe	Kofdhd32.exe
File created	C:\Windows\SysWOW64\Koajmepf.exe	Keifdpif.exe
File opened for modification	C:\Windows\SysWOW64\Ncbafoge.exe	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Benibond.dll	Jimldogg.exe
File created	C:\Windows\SysWOW64\Gdgfnm32.dll	Jlgoek32.exe
File created	C:\Windows\SysWOW64\Kofdhd32.exe	Klggli32.exe
File opened for modification	C:\Windows\SysWOW64\Mablfnne.exe	Mledmg32.exe
File created	C:\Windows\SysWOW64\Picoja32.dll	Iimcma32.exe
File opened for modification	C:\Windows\SysWOW64\Kofdhd32.exe	Klggli32.exe
File created	C:\Windows\SysWOW64\Ncjakdno.dll	Klggli32.exe
File opened for modification	C:\Windows\SysWOW64\Jadgnb32.exe	Jlgoek32.exe
File created	C:\Windows\SysWOW64\Eiidnkam.dll	Kplmliko.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Pfhmjf32.exe
File created	C:\Windows\SysWOW64\Khbiello.exe	Jbepme32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhoeb32.exe	Oiagde32.exe
File created	C:\Windows\SysWOW64\Oqoefand.exe	Oqmhqapg.exe
File opened for modification	C:\Windows\SysWOW64\Laiipofp.exe	Lllagh32.exe
File opened for modification	C:\Windows\SysWOW64\Koajmepf.exe	Keifdpif.exe
File created	C:\Windows\SysWOW64\Ljbnfleo.exe	Lchfib32.exe
File created	C:\Windows\SysWOW64\Mhldbh32.exe	Mablfnne.exe
File created	C:\Windows\SysWOW64\Fkaokcqj.dll	Mablfnne.exe
File created	C:\Windows\SysWOW64\Mofmobmo.exe	Mhldbh32.exe
File created	C:\Windows\SysWOW64\Mcgckb32.dll	Iafkld32.exe
File created	C:\Windows\SysWOW64\Nqfbpb32.exe	Niojoeel.exe
File created	C:\Windows\SysWOW64\Lpochfji.exe	Ljdkll32.exe
File opened for modification	C:\Windows\SysWOW64\Omfekbdh.exe	Obqanjdb.exe
File created	C:\Windows\SysWOW64\Iaejqcdo.dll	Joqafgni.exe
File created	C:\Windows\SysWOW64\Ljdkll32.exe	Loofnccf.exe
File created	C:\Windows\SysWOW64\Khlaie32.dll	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Njjmni32.exe	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Ibgdlg32.exe	Ilnlom32.exe
File created	C:\Windows\SysWOW64\Lkpemq32.dll	Jikoopij.exe
File created	C:\Windows\SysWOW64\Nmcpoedn.exe	Nfihbk32.exe
File created	C:\Windows\SysWOW64\Iialhaad.exe	Ibgdlg32.exe
File created	C:\Windows\SysWOW64\Jhgiim32.exe	Iondqhpl.exe
File created	C:\Windows\SysWOW64\Gcmjja32.dll	Jekjcaef.exe
File opened for modification	C:\Windows\SysWOW64\Mcaipa32.exe	Mofmobmo.exe
File opened for modification	C:\Windows\SysWOW64\Iondqhpl.exe	Iialhaad.exe
File created	C:\Windows\SysWOW64\Hpfohk32.dll	Njjmni32.exe
File created	C:\Windows\SysWOW64\Ocgkan32.exe	Oqhoeb32.exe
File opened for modification	C:\Windows\SysWOW64\Lafmjp32.exe	Lhnhajba.exe
File created	C:\Windows\SysWOW64\Lchfib32.exe	Llnnmhfe.exe
File opened for modification	C:\Windows\SysWOW64\Niojoeel.exe	Ncbafoge.exe
File created	C:\Windows\SysWOW64\Pciqnk32.exe	Ppnenlka.exe
File created	C:\Windows\SysWOW64\Biepfnpi.dll	Ilnlom32.exe
File opened for modification	C:\Windows\SysWOW64\Ilkoim32.exe	Iimcma32.exe
File created	C:\Windows\SysWOW64\Kafkmp32.dll	Jaajhb32.exe
File opened for modification	C:\Windows\SysWOW64\Jbepme32.exe	Jimldogg.exe
File created	C:\Windows\SysWOW64\Nhegig32.exe	Mlofcf32.exe
File created	C:\Windows\SysWOW64\Nfihbk32.exe	Nhegig32.exe
File opened for modification	C:\Windows\SysWOW64\Nfihbk32.exe	Nhegig32.exe
File created	C:\Windows\SysWOW64\Oiccje32.exe	Ocgkan32.exe
File opened for modification	C:\Windows\SysWOW64\Ppgomnai.exe	Pmhbqbae.exe
File created	C:\Windows\SysWOW64\Lckggdbo.dll	Ieccbbkn.exe
File opened for modification	C:\Windows\SysWOW64\Nijqcf32.exe	Nmcpoedn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6068	5856	WerFault.exe	182

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhnhajba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lafmjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loofnccf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pciqnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhgiim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mapppn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplmliko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keifdpif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmcpoedn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbafoge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niojoeel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilnlom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jekjcaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khbiello.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klggli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfihbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obqanjdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnenlka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Joqafgni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlikkkhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laiipofp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpeaoih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oonlfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiagde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppgomnai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhmjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iogopi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klndfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllagh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llnnmhfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhjhmhhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibegfglj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibgdlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klekfinp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhegig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjmni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mablfnne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mljmhflh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhanngbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqmhqapg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbekii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljdkll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfccogfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilkoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlgoek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimldogg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kifojnol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lchfib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbepme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nijqcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mledmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhldbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbibfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c04564cef8e979bf29ecc7f8beb0f5d9afceee349e7d5b5dfa071b576cc28ee3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihmfco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iafkld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iimcma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koajmepf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqfbpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgkan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiccje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omfekbdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplhhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikoopij.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npakijcp.dll"	Mhldbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njjmni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgkan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkbkddd.dll"	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlikkkhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcaipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpecpo32.dll"	Keifdpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbldmmh.dll"	Klndfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niojoeel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqoefand.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lckggdbo.dll"	Ieccbbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipamlopb.dll"	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepjbf32.dll"	Nfihbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhoeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlgoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdjokcd.dll"	Klekfinp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpnkbfj.dll"	Ljdkll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkbpmep.dll"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaejqcdo.dll"	Joqafgni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeeaodnk.dll"	Laiipofp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbibfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laiipofp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mapppn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfigmnlg.dll"	Nijqcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebkgjkg.dll"	Nqcejcha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgpfqchb.dll"	Jadgnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himfiblh.dll"	Ihmfco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphdhn32.dll"	Jlikkkhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiidnkam.dll"	Kplmliko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkhnd32.dll"	Nqfbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iafkld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgkan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilkoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibegfglj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keifdpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdbmgdb.dll"	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceohefin.dll"	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgckb32.dll"	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibgdlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jocnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlqeenhm.dll"	Kibeoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khlklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lchfib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmadjhb.dll"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihmfco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmphaaln.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1748	1092	c04564cef8e979bf29ecc7f8beb0f5d9afceee349e7d5b5dfa071b576cc28ee3.exe	88
PID 1092 wrote to memory of 1748	1092	c04564cef8e979bf29ecc7f8beb0f5d9afceee349e7d5b5dfa071b576cc28ee3.exe	88
PID 1092 wrote to memory of 1748	1092	c04564cef8e979bf29ecc7f8beb0f5d9afceee349e7d5b5dfa071b576cc28ee3.exe	88
PID 1748 wrote to memory of 1496	1748	Ihmfco32.exe	89
PID 1748 wrote to memory of 1496	1748	Ihmfco32.exe	89
PID 1748 wrote to memory of 1496	1748	Ihmfco32.exe	89
PID 1496 wrote to memory of 3628	1496	Iogopi32.exe	90
PID 1496 wrote to memory of 3628	1496	Iogopi32.exe	90
PID 1496 wrote to memory of 3628	1496	Iogopi32.exe	90
PID 3628 wrote to memory of 3512	3628	Iafkld32.exe	91
PID 3628 wrote to memory of 3512	3628	Iafkld32.exe	91
PID 3628 wrote to memory of 3512	3628	Iafkld32.exe	91
PID 3512 wrote to memory of 4384	3512	Iimcma32.exe	92
PID 3512 wrote to memory of 4384	3512	Iimcma32.exe	92
PID 3512 wrote to memory of 4384	3512	Iimcma32.exe	92
PID 4384 wrote to memory of 3668	4384	Ilkoim32.exe	94
PID 4384 wrote to memory of 3668	4384	Ilkoim32.exe	94
PID 4384 wrote to memory of 3668	4384	Ilkoim32.exe	94
PID 3668 wrote to memory of 3448	3668	Ibegfglj.exe	95
PID 3668 wrote to memory of 3448	3668	Ibegfglj.exe	95
PID 3668 wrote to memory of 3448	3668	Ibegfglj.exe	95
PID 3448 wrote to memory of 1336	3448	Ieccbbkn.exe	96
PID 3448 wrote to memory of 1336	3448	Ieccbbkn.exe	96
PID 3448 wrote to memory of 1336	3448	Ieccbbkn.exe	96
PID 1336 wrote to memory of 5104	1336	Ilnlom32.exe	97
PID 1336 wrote to memory of 5104	1336	Ilnlom32.exe	97
PID 1336 wrote to memory of 5104	1336	Ilnlom32.exe	97
PID 5104 wrote to memory of 4252	5104	Ibgdlg32.exe	99
PID 5104 wrote to memory of 4252	5104	Ibgdlg32.exe	99
PID 5104 wrote to memory of 4252	5104	Ibgdlg32.exe	99
PID 4252 wrote to memory of 536	4252	Iialhaad.exe	100
PID 4252 wrote to memory of 536	4252	Iialhaad.exe	100
PID 4252 wrote to memory of 536	4252	Iialhaad.exe	100
PID 536 wrote to memory of 1004	536	Iondqhpl.exe	101
PID 536 wrote to memory of 1004	536	Iondqhpl.exe	101
PID 536 wrote to memory of 1004	536	Iondqhpl.exe	101
PID 1004 wrote to memory of 3052	1004	Jhgiim32.exe	102
PID 1004 wrote to memory of 3052	1004	Jhgiim32.exe	102
PID 1004 wrote to memory of 3052	1004	Jhgiim32.exe	102
PID 3052 wrote to memory of 4016	3052	Joqafgni.exe	104
PID 3052 wrote to memory of 4016	3052	Joqafgni.exe	104
PID 3052 wrote to memory of 4016	3052	Joqafgni.exe	104
PID 4016 wrote to memory of 2884	4016	Jekjcaef.exe	105
PID 4016 wrote to memory of 2884	4016	Jekjcaef.exe	105
PID 4016 wrote to memory of 2884	4016	Jekjcaef.exe	105
PID 2884 wrote to memory of 980	2884	Jocnlg32.exe	106
PID 2884 wrote to memory of 980	2884	Jocnlg32.exe	106
PID 2884 wrote to memory of 980	2884	Jocnlg32.exe	106
PID 980 wrote to memory of 5100	980	Jaajhb32.exe	107
PID 980 wrote to memory of 5100	980	Jaajhb32.exe	107
PID 980 wrote to memory of 5100	980	Jaajhb32.exe	107
PID 5100 wrote to memory of 3204	5100	Jlgoek32.exe	108
PID 5100 wrote to memory of 3204	5100	Jlgoek32.exe	108
PID 5100 wrote to memory of 3204	5100	Jlgoek32.exe	108
PID 3204 wrote to memory of 4868	3204	Jadgnb32.exe	109
PID 3204 wrote to memory of 4868	3204	Jadgnb32.exe	109
PID 3204 wrote to memory of 4868	3204	Jadgnb32.exe	109
PID 4868 wrote to memory of 3780	4868	Jikoopij.exe	110
PID 4868 wrote to memory of 3780	4868	Jikoopij.exe	110
PID 4868 wrote to memory of 3780	4868	Jikoopij.exe	110
PID 3780 wrote to memory of 2980	3780	Jlikkkhn.exe	111
PID 3780 wrote to memory of 2980	3780	Jlikkkhn.exe	111
PID 3780 wrote to memory of 2980	3780	Jlikkkhn.exe	111
PID 2980 wrote to memory of 1396	2980	Jbccge32.exe	112

C:\Users\Admin\AppData\Local\Temp\c04564cef8e979bf29ecc7f8beb0f5d9afceee349e7d5b5dfa071b576cc28ee3.exe
"C:\Users\Admin\AppData\Local\Temp\c04564cef8e979bf29ecc7f8beb0f5d9afceee349e7d5b5dfa071b576cc28ee3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\SysWOW64\Ihmfco32.exe
  C:\Windows\system32\Ihmfco32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\Iogopi32.exe
    C:\Windows\system32\Iogopi32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SysWOW64\Iafkld32.exe
      C:\Windows\system32\Iafkld32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3628
    - - C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3512
      - C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\Lafmjp32.exe
        
        C:\Windows\system32\Lafmjp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        45⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:644
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        81⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        84⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        89⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 408
        90⤵
        Program crash
        
        PID:6068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8
1⤵
PID:5640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5856 -ip 5856
1⤵
PID:5964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iafkld32.exe

Filesize
64KB

MD5
a1bd0de33ea24a1e02ddfd60863b688e

SHA1
225288d934f585dbe48fdc5439a11aaa21760fb5

SHA256
21c3f623ed17facac61d0d2e686dad22a66aebbff22daed2bef130c1f9355a07

SHA512
22325ab69f64fb0c2cd0b7d1f1795520e7a190bdad3448f81759cfb30bec31976cb727930275676fe21feb3d5a699eb274162052277854ef54c66e6be4bb6a47

Download Submit
C:\Windows\SysWOW64\Ibegfglj.exe

Filesize
64KB

MD5
321d6e169cbcbaee4a06274bb825cbae

SHA1
a2357426315764f08d11b84c05b7d1d4b8192d3c

SHA256
51e9a2f3c638b1319c4c76d065c0f980f4af02b4acf72d71d7e3142f56316ff8

SHA512
8b44d6c72a7299d09a2a302e75f154891d28e1452d82851043ec928ba33da91aa10ac6d67a6c59e7b07856f5e855ce197da496ebca8ab8f6e9ebb11fde7b6cff

Download Submit
C:\Windows\SysWOW64\Ibgdlg32.exe

Filesize
64KB

MD5
980af9635acc8d7f86bca7846f3e9901

SHA1
267437d4a05a178081ac052137b63f93ce2e2f63

SHA256
5df05d93dce811017894e833d46997f5b2141846bbe46b755a7b7a143ceaf5f3

SHA512
d7f9731dbddec5ec7e06d111066c859ee3978da18d90b8fcc47b3a739513d62df7132b9c22620479ac673589b3fa78a5cc51718a8982ac55fca9efd568eaf9b3

Download Submit
C:\Windows\SysWOW64\Ieccbbkn.exe

Filesize
64KB

MD5
f504d62b4e2b8f3443699cf6879758c4

SHA1
cabfcc59084d6ea077d32631ee80e997007e9ac3

SHA256
c6dd0ddcfc9963336edb336bcde04a24489721b332a3027845ee1f87ae8b82b1

SHA512
02c605defece81194e0e77663a5d23a67c3fcf5087bf562aaa19a2d9a751bf2f3e8d5b2d74a336410e696b948c72a62b47409746e8dfa9f3455ac34cca8f3abf

Download Submit
C:\Windows\SysWOW64\Ihmfco32.exe

Filesize
64KB

MD5
13e088f744c73700e36ca5ce9db27332

SHA1
66ca544113b1813d663aa3d82ffa555c3c29cfb0

SHA256
bdc5d5af12712ead95a8d03f7633db04d1d6374ee9c0eff5bd6db32d7e9c1fe8

SHA512
f5c7154733a3c4930914e4d75b982b66e69fc27d5bf76c4899bfcd06c3368531d315a51f68ce2e07e13b7165e75cac7c16a4af535677f3147b3aeb6d57ec270d

Download Submit
C:\Windows\SysWOW64\Iialhaad.exe

Filesize
64KB

MD5
8b84fc4936693d409ac138f3cf0b8bff

SHA1
226c52e147addf45029e0a4eaacdbdf42cccbc07

SHA256
877e8e620bc8cd09f7d27a8db7bf8ce2b8d467fd1e5c2f3f7c41f50fb0c5d752

SHA512
acccf9e11b1ec8b25de6037ae44d97b044fa24e30fc648e22504ad0fb41a139c29918d5bfaa330beece1a6f45062f247d9f2bdeb24357cdb09e00ca08f63ea93

Download Submit
C:\Windows\SysWOW64\Iimcma32.exe

Filesize
64KB

MD5
533fb570a0f8a4be70e8c5875e6a1938

SHA1
1e1cd0d2e887018b59c430080e6b7ce130e60489

SHA256
7ce12e021c02f7e55147abb2b102655cff6b85de5fabd48d283658c8f2a2a5a3

SHA512
af73a43f74f7e888040f906c6ea759f9013119f80f697a39423251d5b6d3b802d4f30c15104cb3faa46b9332c088483cc4445a85894edfd0fa705a56afaf2e71

Download Submit
C:\Windows\SysWOW64\Ilkoim32.exe

Filesize
64KB

MD5
85923610bc39367ead139b12e8af15f5

SHA1
817b5547e961b7beace1f2591d1c3d97b6f39049

SHA256
69fb96694e6f027e2db2639c13615cc96de678fc4e16f31782839ee6a378f383

SHA512
aa519eeb94b4d06a70aac9199f730ac8091165c0b91d8f0a71f449bf17f5f7ca92650559485da534304cef1afde4de90fe8df16b1104d6c66a196bed65cd857a

Download Submit
C:\Windows\SysWOW64\Ilnlom32.exe

Filesize
64KB

MD5
9a621e2f434b1d38b6aeffd2a89ac250

SHA1
e2491baeb785b95589c06a95f709ff040e784690

SHA256
22a1769981d62f62e22d08ee9123c698bc964d73d17826ac8a0c3b2adacb381a

SHA512
54c404ee9453faf698827ddd22396df4c6224a18fb2354efe55c2d95375d203dd7cfd3f9f893c8f0c31d6622a65a7a10ccadfcee71341449a1607bddf4df150c

Download Submit
C:\Windows\SysWOW64\Iogopi32.exe

Filesize
64KB

MD5
9e73e655481412220aa4892593869c3c

SHA1
d100bebf491f529b30a1596ac60de2cba7058e90

SHA256
3362029844a0f1d42868827db8397d9e425dbe4e65defaa37dd8da145cbbe9cf

SHA512
15c923270a3399fa11da8ba8c60271aafcbe90150b8a617cd95b267070e1f3866c541f6f44e99212cd6603aa4ad0e8c6981b0b0d3148e357e9092c4d3f5468f9

Download Submit
C:\Windows\SysWOW64\Iondqhpl.exe

Filesize
64KB

MD5
9bafe1c701ac4f63223687c80fc07b17

SHA1
b6006334159d761538053b87ce2695bc22f63959

SHA256
c325ff96b7c521c0738ffa40e44d303416f7ea1deb44b65561f1726258efeef2

SHA512
5924a4aa8444a8415206b97da967842499debeb242751fa3b0d75f55f3bcded357e4bb33ae1109d731aef302c195ffa343a6a2178b0bd8c254c511af5916cc5a

Download Submit
C:\Windows\SysWOW64\Jaajhb32.exe

Filesize
64KB

MD5
9a128e62ff909afa46ef96b195dcf8ab

SHA1
d7c24dc550c7cf5c2970d27b75939433eb74d729

SHA256
930ca59f1a7fc6b27ae8c4ae3bfc2c8b50fa38834b61c3d2dbaa55528326210b

SHA512
3fceb71ca22d3f186a1f4515db105468081c39cb7ce87fcb5bdc3f29bc3b750b180ab6958a9a32f5aacdef81c7d5401835b8bf23081f3bb2f3c9f3d0d4a48ceb

Download Submit
C:\Windows\SysWOW64\Jadgnb32.exe

Filesize
64KB

MD5
f9a1e7e55ba7d4925a4cfa05995cb14e

SHA1
66f72f5308c4b5486e2f3628be673623023efb56

SHA256
d06e0698a4162fac31eab305e0a11af9192cd79561a6094617b008edcb1a41a7

SHA512
46587f093713afec54e4138f2124b1defc155e454b4ff587c5987481eaa98faee5b28745b8af5b43651e178a2a4712f64feb7a7cadb759df92828e80d8140215

Download Submit
C:\Windows\SysWOW64\Jbccge32.exe

Filesize
64KB

MD5
062e87394402201e2294459332c3a9f9

SHA1
35d10ae6c44a139d3e93ab4388da73c1b6bb7b3b

SHA256
a71a787acc5fa752296300f08ba8841c9d0766a8a69751552361b52c044c9380

SHA512
750d42b68bc4ec3db228de22cd29bd2acb4d434a6317ad9062f5a99cdb36af53dd5fc757018d4ce3837fa1fab73e4162768b604b634c7ad3ccf253773d6b9fb0

Download Submit
C:\Windows\SysWOW64\Jbepme32.exe

Filesize
64KB

MD5
fcbbf0ff1cd1ccf337a66e91d43a0ec2

SHA1
7d4695f310c8f709ffaa354f8d257a9ba24dd6ec

SHA256
5799528204e76891f17fbb1fa8734cec8990dc9ca9d88f921f4f881bfb49e7cf

SHA512
7157d1b58bd161b530a35084a817634c9ee7cd695af3f9affee29c3fbc3a33339334df402ef9f00a7805843097e45a762aed37d813994ef16547650ee51651bf

Download Submit
C:\Windows\SysWOW64\Jekjcaef.exe

Filesize
64KB

MD5
5f4bce3c3cbd6ff1439addec9aab9157

SHA1
90f5b586a40e173858e66e4d87eb0d0bead18b6c

SHA256
cf5b94cf6370025355de2d2860cb4df2a722bbadd1c20e8fde4906671ed1d918

SHA512
d25ca7353f688632ec026d6f7f9808174e6528c259c7e0b12211a2ff12f68713733a9d4b6c0e4faf94c1b2370e2491c17e2887c8910181f1f81a062af25cb5e4

Download Submit
C:\Windows\SysWOW64\Jhgiim32.exe

Filesize
64KB

MD5
088c33ea55ca9ca77fd39f8f9a3aa5e2

SHA1
19dd5262872eee88db40c64b98efc8bf057c9f3d

SHA256
8d8c85be4b549f0ee5196333def240f051507da1d01f57494d8269c9fe8f3288

SHA512
52b3adcebff1ab6d8512411e740c6dd88fead060ffba4f74c2341cd263d508bf9ee02e9bb54b5af624934283df38d28fbc35233d67a85e04497dc01126b0adc9

Download Submit
C:\Windows\SysWOW64\Jikoopij.exe

Filesize
64KB

MD5
f740fbd7c5c0baec05777acf010c6312

SHA1
7e08275a779daf23e77783406d9e724a7fc5a50d

SHA256
ec7f249c2c0fd8f842af41cb96bf788b56cd92ac4b2dffe3072f6d350b8c9879

SHA512
ba917dbcce0fd73f5840ad6953afa8dd95176fb140933754c6b218ec64e03ea031e9169332a0882920b662d54c7249acd3bd5eb770d5bf588690f7fcf4b0e1f9

Download Submit
C:\Windows\SysWOW64\Jimldogg.exe

Filesize
64KB

MD5
7130d6b5025097a8d881e5af4c52ab5a

SHA1
e8a4bee99a1791abd6f112e810591b67c720cdf6

SHA256
91430d916aec289c3692c9bf1fffbaee3536fa565e7acdbec237f051f5526d0d

SHA512
2af1092bc47e9f58d5931b8eb82b50d526a9869d03fc4c7a8d25f2fe9e9c370db9d4d904b26c84f70bbd0f78b045046a2d7aca9bed814ad992b076fe0b548400

Download Submit
C:\Windows\SysWOW64\Jlgoek32.exe

Filesize
64KB

MD5
120529484874b50431e0c99695c48cc2

SHA1
a16186c7885e72948009b7111d8e3c34977f84f3

SHA256
974a93a2a399cb8e6a7408e5aa8d1a64e5ce45d56023d4a7c3500568b3de25ea

SHA512
2ded03abf23bc94cfcc76be82e79a0550ac9b8cce4e8fd48e325f9813461b9a99ae4daa251c68954aad2399284f87f6a41a7387d0140901423424f4900a6302d

Download Submit
C:\Windows\SysWOW64\Jlikkkhn.exe

Filesize
64KB

MD5
7713354208fcb850cf813116e57f2cfe

SHA1
2058b7954ec6ab35200336ede41eaa441f9c47f2

SHA256
6f46b606411e84f1404fd0cb07a704ba46f5656154dcb07039dffee3cab529fd

SHA512
a34699d4db72fad173b83fd1588ee5326e01b57b20b35be282bcbc63b9d1d56438ac2ea4d4842ac355380c04ed7a8cf46f0628a54415e7da379fde957c51dbef

Download Submit
C:\Windows\SysWOW64\Jocnlg32.exe

Filesize
64KB

MD5
a56298c83c66f66794fc7c746fe9157a

SHA1
c971bb3577a80ec6df6d4442016f829b4b707efd

SHA256
8629ab9758d81a670e163bce4b1f221b5c1eba8b3a86d18dc2a728b2b3e1d310

SHA512
5e3f3e0b650776b01e9b15cfd31ee92311c30c94ce46875a4919cade003faff4bb665b618457124c9636de3f6fbac04504888b75c9bed48100147a3a72b450df

Download Submit
C:\Windows\SysWOW64\Joqafgni.exe

Filesize
64KB

MD5
1fac5afecf890df38777ee3814d587d8

SHA1
f1a2e30349286fee22754519522e548c047ba697

SHA256
0204b1bb0f46b432c8fef0276dd186177fc658f647d94ff64b79703b74714463

SHA512
05ae7510c2c60f5efbfba32a1de152acbac467df4d6902084d73fd0621f45153ca1931df3840445dc5990d3bbde0d114540716f765d6c13393432dbcffe9001d

Download Submit
C:\Windows\SysWOW64\Keifdpif.exe

Filesize
64KB

MD5
8cc8393fddd6eca14cbeeb236d46e3ac

SHA1
6f79a8fe21e85cf437ccb3242d48a285f314fdb4

SHA256
5b8c1644168d78e0f5f97612f491501820d151196780c4b156c4dea14e719173

SHA512
67d6067bbc156e18aad9b930e9da1406e14eef5704465a2dcc6e607043dd38cabc96ce23175cc54ee059f3c692a7d60dfc096466a4caaf210e1feea451f04b1f

Download Submit
C:\Windows\SysWOW64\Khbiello.exe

Filesize
64KB

MD5
47c839ca9a0bac994e13c77b16648a26

SHA1
5b31531d3bfee0f86200aae9fb6fe2d2879f2ed5

SHA256
f93062b034376bfa96d9f52ee54826cdb4a9ac8913d6d49237464039f6309978

SHA512
4c3af81a2941c72796c22d9b86f60837a989f776da4f970e44536832b0e8a2849fefaab126f31520ca3b7d97749e47130ad3cc445728b7e1626e264824120fa8

Download Submit
C:\Windows\SysWOW64\Khlklj32.exe

Filesize
64KB

MD5
f4b08bd4286275e45e49083a030d97dd

SHA1
9a714f39ab7ed98dab3a723142a08a6f84782290

SHA256
cbf9ab6b13ef7ba58730ccbc8f72108b0b709fa5f3c2ae791988f493cc9f368f

SHA512
76115b06f40aa606d758018e3d8c6a0c1c5eb86eab082167a7d676dbfba9f7688a2daa3fc8af42a53e69212ed1519a4067518d7ca95f1fb0e28f66b5fb342ac9

Download Submit
C:\Windows\SysWOW64\Kibeoo32.exe

Filesize
64KB

MD5
367ffeacc0d1bb0074aed625ff938fd5

SHA1
de3bf2a2f08fc8c8d90d57dd1167df67c3adc620

SHA256
78283c209de715bc4a8e328d5aedf3b35b02d5a0b5436b6a28ebcc638425876c

SHA512
381e2a70cf8ef4e4240cf4db761fd4a1a3788e470bfa7ecf3e74227dcd57d34ca72470694323e5bd647054a82965c3ee0463b050498ebb11d0874d96eeaceceb

Download Submit
C:\Windows\SysWOW64\Kifojnol.exe

Filesize
64KB

MD5
438749e3d6f7ed4c1279fb95e0dcdc5a

SHA1
8aa042ed7c1faf85fbaad5be61af660f280c3614

SHA256
80dcc58693e675b88a21a876ecba7a57bda903108afdcb330c4ddc798b7d254b

SHA512
46aa074fc93fde45399bed57926e90c61fb3bbed07b0b7e51af409b1f638fc1f9396366d6048414798cf4608b71ebedc497e0dbf522ab70e2c55daf39a670e3e

Download Submit
C:\Windows\SysWOW64\Klekfinp.exe

Filesize
64KB

MD5
0e0f8c3c9be4db3a571a42f0ecc8706e

SHA1
88c10d7d480b30078500c655b75a0da9fcde5728

SHA256
d1249dd8ba842c3d3c70fc26489b97b3e5e9b8ea52165d0c0a8ae11b118b61a5

SHA512
c4cec0cc2c4945b9cc37231d91312136c30c11803111ec7c7bbd5957ad9b28281be6285741190cbec10d201dba5a5eb7f26e3483af1527aff6eeabde0a3609c2

Download Submit
C:\Windows\SysWOW64\Klndfj32.exe

Filesize
64KB

MD5
37a1f783c4d8b1604726f810e4def731

SHA1
9a8cc720ebf1691da6654776cbfe0d65273c742f

SHA256
bb14ff332134d6296d8fe8e704d0d702342b1371effb159a5b93e0db1780c834

SHA512
7dc05c2178865c69b4917aed77a95629defc6697b77320f8ed8158e319e6513ce416ae7cda6e653070ade76db27a33f5ac6f37e79b6cfc6a8363d8e98ddd51cb

Download Submit
C:\Windows\SysWOW64\Koajmepf.exe

Filesize
64KB

MD5
76ea010a3240e9ee212e1f59471e0d7e

SHA1
77878db10e863478b00f24b92b777b92ece2dcd0

SHA256
51db3ef7a3dd36467770cf01a2f7e69daca0cb7a74b0e3bb47ad6a7f02f8f558

SHA512
52be4641e480cce21aca69cc03592d95b364ec276532a3b2dcd0b5384bfa4661d466cc3079c1e20c0c1c5c2512a2c605afb8998071bd66de029d477ca2406949

Download Submit
C:\Windows\SysWOW64\Kplmliko.exe

Filesize
64KB

MD5
472d0c4e5619307a7b4d709dc9cbed89

SHA1
5723ed5a0d481b3eb74702cdaaef31d125332bd0

SHA256
373bb3d46973747427fdca87e0d6cbed844e48004e5d80d4dc5e3c4a6904480c

SHA512
1e8b31407a32adc07ab642368d6fca017405efad00afd6956d39da13c48682e05dab20b50f4f764cab5c41169678a9959efec138f85017ef58b7061b529d113c

Download Submit
C:\Windows\SysWOW64\Lafmjp32.exe

Filesize
64KB

MD5
fc5f9c5d72464248fd79a22279459566

SHA1
bcb711cacc6ab5df7242e08754a3a6f5172c1440

SHA256
279eece30af0e189511366a45ed8fbab46c073a60c1a2d2b09e72f1b6997d8c8

SHA512
c2abc205b8e9c32df8fb2f282775fed4e994cf1fb6d6616cfe01f008f51f64a326c75749c5a0c30ff465527cf9ea173f3ccfc810b31536660b3e8c42c949afd7

Download Submit
C:\Windows\SysWOW64\Ncbafoge.exe

Filesize
64KB

MD5
b87e0ecb96d634f835c6af3694df9690

SHA1
33b30b1b3efee4f8a9bded714151a25102598845

SHA256
2f8d851e17ebd894be52cba638161d8181a5a6ed3c25405bacd6279953d66a48

SHA512
bcc7869fa1c8e02dbd44fe3e909a4a260c01055aab4598c8961f9f6e58c86213511b7a0811f13140bb00d9c0c9aa486e9dae226d603b61de9b0277b663cbadd8

Download Submit
C:\Windows\SysWOW64\Oiccje32.exe

Filesize
64KB

MD5
bb1e7a634aa170901cb75e5b7e20b02a

SHA1
a12a1fa7711d566d271c0265fa6cb541cb3a3954

SHA256
b79f5b690898bd86b9f05dd52f98c990af31ac8a817e8d86223694b12f0dba43

SHA512
041a607ce30d05f83121670169d79ae78e9896cfc92131493faf5ea065d066bea82742f089939116cd5caa6d5c8c3b3f2331856fc2a047a255644ca5e2adebdf

Download Submit
C:\Windows\SysWOW64\Pbekii32.exe

Filesize
64KB

MD5
f6a0d09fee2c568613be695817b9da81

SHA1
e48128fd40bbedb604ce5fba5e9f2874a2f20520

SHA256
4515cdbdfdbaf91d79bfcf8ec6226ad7dd3438d3e1b13ba1041f72829a57b12c

SHA512
d85f02942cf091842e713285f7378ee4f363d4c1af46e5aafec1f79da66f09075f6111e76b6c8612f55d206348ae6ab0c5f1c396876b198b6562676aebef2b2b

Download Submit
C:\Windows\SysWOW64\Pfhmjf32.exe

Filesize
64KB

MD5
09bec33e81b21e5e0c8ce28e6f687d5c

SHA1
ded214203e68e14388e0e1bcf77cc29308b567de

SHA256
80d3eb35660fe22d8cd9d4a3f3d035d244204c62cb8af2b34742f94348b485e4

SHA512
f00c69dd7449f38ec0246bada15e732f04f901d0fb03f1e2ec72f9f67dbc368534fc343ee6641dfdc0ecb1110df19f72b11bfbc053fefbdb986fc40da92c6a7b

Download Submit
memory/232-206-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/232-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/536-89-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/536-179-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/764-362-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/764-297-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/980-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/980-223-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1004-99-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1004-187-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1068-299-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1068-216-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1092-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1092-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1304-334-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1304-261-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1336-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1336-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1396-277-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1396-188-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1496-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1496-98-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1508-384-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1620-419-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1748-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1748-7-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1804-224-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1804-306-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1892-242-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1892-320-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2352-370-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2576-418-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2576-349-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2720-285-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2720-197-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2800-278-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2800-348-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2828-376-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2828-307-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2860-391-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2884-215-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2884-126-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2948-335-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2948-404-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2980-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2980-180-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2992-286-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2992-355-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3016-328-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3016-397-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3052-108-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3052-196-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3204-153-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3204-241-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3404-341-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3404-269-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3432-377-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3448-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3448-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3504-356-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3512-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3512-32-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3628-106-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3628-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3668-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3668-47-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3732-233-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3732-313-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3780-170-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3780-260-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3876-390-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3876-321-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4004-398-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4016-205-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4016-116-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4120-327-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4120-251-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4252-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4252-81-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4364-363-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4384-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4384-124-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4428-314-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4428-383-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4500-342-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4500-411-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4628-409-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4692-412-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4868-162-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4868-250-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4960-369-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4960-300-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5100-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5100-232-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5104-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5104-161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads