b0589e95416ebceb3a2b6719dafb51f5f159be1c13b2c263a7590dc283ef82bd

Analysis

max time kernel
116s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 00:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f14c9977a9a99851f3ed6e480f831680N.exe
Size

285KB
MD5

f14c9977a9a99851f3ed6e480f831680
SHA1

3ab771eb4ea6fbe3b60002288a4be2eceff9b284
SHA256

b0589e95416ebceb3a2b6719dafb51f5f159be1c13b2c263a7590dc283ef82bd
SHA512

18d33655d37c10161077b512dfa50e04408de78a4704fb57a2a9472a6492a9b0a07b104bb8bf5ee382830f08b27213b4fe6115e3d761b5c799c677d8e028691e
SSDEEP

3072:PU/QqagSMoTm32Oxe2KVcbMloVRr3uMg0kAqSxYiJ2QM4GKch:vqVSMym32/2KQIoi7tWa

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhgdmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nchhfild.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgapmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hgapmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oohkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Poidhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Okolfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mociol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hchqbkkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdbnmbhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlgbon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mklfjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddble32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poidhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnjbdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibgmaqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaljbmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlqloo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdngpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbdgec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mojopk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nconfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hebcao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mllccpfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oloipmfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idhiii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcppq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlefjnno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lefkkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	f14c9977a9a99851f3ed6e480f831680N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mclhjkfa.exe

Executes dropped EXE 64 IoCs

pid	Process
4216	Hbdgec32.exe
5076	Hebcao32.exe
2984	Hgapmj32.exe
1740	Hbfdjc32.exe
3324	Hchqbkkm.exe
2408	Inidkb32.exe
2588	Ibgmaqfl.exe
1092	Idhiii32.exe
2524	Jaljbmkd.exe
1412	Jlanpfkj.exe
3052	Janghmia.exe
2932	Jhhodg32.exe
3556	Jdopjh32.exe
3684	Jnedgq32.exe
2860	Jhmhpfmi.exe
4448	Jaemilci.exe
728	Jlkafdco.exe
2036	Koimbpbc.exe
4560	Koljgppp.exe
3252	Kkbkmqed.exe
2948	Kalcik32.exe
5016	Kaopoj32.exe
4316	Klddlckd.exe
4036	Kemhei32.exe
2476	Ldbefe32.exe
5112	Logicn32.exe
636	Lddble32.exe
760	Lbebilli.exe
2364	Ledoegkm.exe
1776	Lefkkg32.exe
1392	Lcjldk32.exe
4028	Lhgdmb32.exe
3020	Moalil32.exe
3696	Mclhjkfa.exe
3976	Mhiabbdi.exe
5048	Mociol32.exe
4892	Mdpagc32.exe
1032	Mkjjdmaj.exe
548	Madbagif.exe
4368	Mdbnmbhj.exe
2256	Mklfjm32.exe
1128	Mccokj32.exe
960	Mebkge32.exe
3332	Mllccpfj.exe
3560	Mojopk32.exe
1084	Mdghhb32.exe
1340	Nlnpio32.exe
2880	Nchhfild.exe
5024	Ndidna32.exe
5052	Nlqloo32.exe
1840	Namegfql.exe
3248	Nfiagd32.exe
4756	Nhgmcp32.exe
616	Ndnnianm.exe
3104	Nlefjnno.exe
2492	Nconfh32.exe
1416	Nfnjbdep.exe
3504	Nlgbon32.exe
1268	Ncaklhdi.exe
3244	Odbgdp32.exe
1792	Oohkai32.exe
4816	Obfhmd32.exe
4924	Ohqpjo32.exe
3472	Okolfj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pmbpeafn.dll	Kkbkmqed.exe
File created	C:\Windows\SysWOW64\Mccokj32.exe	Mklfjm32.exe
File created	C:\Windows\SysWOW64\Qkfkng32.exe	Qihoak32.exe
File opened for modification	C:\Windows\SysWOW64\Apddce32.exe	Amfhgj32.exe
File opened for modification	C:\Windows\SysWOW64\Aealll32.exe	Abcppq32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljbmkd.exe	Idhiii32.exe
File created	C:\Windows\SysWOW64\Ijaaij32.dll	Jhmhpfmi.exe
File created	C:\Windows\SysWOW64\Nbdenofm.dll	Nlgbon32.exe
File opened for modification	C:\Windows\SysWOW64\Oloipmfd.exe	Odgqopeb.exe
File opened for modification	C:\Windows\SysWOW64\Obnnnc32.exe	Oooaah32.exe
File opened for modification	C:\Windows\SysWOW64\Pokanf32.exe	Peempn32.exe
File created	C:\Windows\SysWOW64\Jaljbmkd.exe	Idhiii32.exe
File opened for modification	C:\Windows\SysWOW64\Kalcik32.exe	Kkbkmqed.exe
File created	C:\Windows\SysWOW64\Bfdkqcmb.dll	Klddlckd.exe
File created	C:\Windows\SysWOW64\Mdghhb32.exe	Mojopk32.exe
File created	C:\Windows\SysWOW64\Fhmeii32.dll	Odbgdp32.exe
File opened for modification	C:\Windows\SysWOW64\Okolfj32.exe	Ohqpjo32.exe
File opened for modification	C:\Windows\SysWOW64\Aeopfl32.exe	Qkfkng32.exe
File opened for modification	C:\Windows\SysWOW64\Koimbpbc.exe	Jlkafdco.exe
File created	C:\Windows\SysWOW64\Nijmbbnl.dll	Hebcao32.exe
File created	C:\Windows\SysWOW64\Ndnnianm.exe	Nhgmcp32.exe
File opened for modification	C:\Windows\SysWOW64\Obfhmd32.exe	Oohkai32.exe
File created	C:\Windows\SysWOW64\Oenlmopg.dll	Odljjo32.exe
File created	C:\Windows\SysWOW64\Pmoagk32.exe	Pokanf32.exe
File created	C:\Windows\SysWOW64\Hgapmj32.exe	Hebcao32.exe
File created	C:\Windows\SysWOW64\Omclnn32.dll	Nlefjnno.exe
File created	C:\Windows\SysWOW64\Odljjo32.exe	Ofijnbkb.exe
File opened for modification	C:\Windows\SysWOW64\Qihoak32.exe	Qifbll32.exe
File opened for modification	C:\Windows\SysWOW64\Mojopk32.exe	Mllccpfj.exe
File created	C:\Windows\SysWOW64\Ecdleo32.dll	Ndidna32.exe
File created	C:\Windows\SysWOW64\Abohmm32.dll	Nconfh32.exe
File created	C:\Windows\SysWOW64\Abcppq32.exe	Apddce32.exe
File created	C:\Windows\SysWOW64\Mnpkiqbe.dll	Jlanpfkj.exe
File opened for modification	C:\Windows\SysWOW64\Idhiii32.exe	Ibgmaqfl.exe
File created	C:\Windows\SysWOW64\Encnaa32.dll	Mociol32.exe
File created	C:\Windows\SysWOW64\Mdbnmbhj.exe	Madbagif.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Aealll32.exe
File opened for modification	C:\Windows\SysWOW64\Hebcao32.exe	Hbdgec32.exe
File created	C:\Windows\SysWOW64\Mclhjkfa.exe	Moalil32.exe
File opened for modification	C:\Windows\SysWOW64\Mhiabbdi.exe	Mclhjkfa.exe
File created	C:\Windows\SysWOW64\Nconfh32.exe	Nlefjnno.exe
File created	C:\Windows\SysWOW64\Hfdgep32.dll	Odgqopeb.exe
File created	C:\Windows\SysWOW64\Edkamckh.dll	Pfbmdabh.exe
File created	C:\Windows\SysWOW64\Edngom32.dll	f14c9977a9a99851f3ed6e480f831680N.exe
File created	C:\Windows\SysWOW64\Ledoegkm.exe	Lbebilli.exe
File opened for modification	C:\Windows\SysWOW64\Mebkge32.exe	Mccokj32.exe
File created	C:\Windows\SysWOW64\Nchhfild.exe	Nlnpio32.exe
File created	C:\Windows\SysWOW64\Nlgbon32.exe	Nfnjbdep.exe
File created	C:\Windows\SysWOW64\Poidhg32.exe	Pfppoa32.exe
File created	C:\Windows\SysWOW64\Kkpdnm32.dll	Peempn32.exe
File opened for modification	C:\Windows\SysWOW64\Hbdgec32.exe	f14c9977a9a99851f3ed6e480f831680N.exe
File opened for modification	C:\Windows\SysWOW64\Kemhei32.exe	Klddlckd.exe
File created	C:\Windows\SysWOW64\Lhgdmb32.exe	Lcjldk32.exe
File created	C:\Windows\SysWOW64\Mllccpfj.exe	Mebkge32.exe
File created	C:\Windows\SysWOW64\Nlqloo32.exe	Ndidna32.exe
File opened for modification	C:\Windows\SysWOW64\Pdqcenmg.exe	Pbbgicnd.exe
File opened for modification	C:\Windows\SysWOW64\Peempn32.exe	Pfbmdabh.exe
File created	C:\Windows\SysWOW64\Cpclaedf.dll	Hgapmj32.exe
File opened for modification	C:\Windows\SysWOW64\Jlanpfkj.exe	Jaljbmkd.exe
File created	C:\Windows\SysWOW64\Bhejfl32.dll	Mllccpfj.exe
File created	C:\Windows\SysWOW64\Odgqopeb.exe	Obidcdfo.exe
File created	C:\Windows\SysWOW64\Gckjdhni.dll	Aeopfl32.exe
File opened for modification	C:\Windows\SysWOW64\Hbfdjc32.exe	Hgapmj32.exe
File created	C:\Windows\SysWOW64\Kaopoj32.exe	Kalcik32.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hebcao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mccokj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmjhfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlkafdco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mclhjkfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oooaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhiabbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mociol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllccpfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlqloo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Namegfql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlanpfkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnedgq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oloipmfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbmdabh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbebilli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nchhfild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdpagc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnpio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlgbon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f14c9977a9a99851f3ed6e480f831680N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheienli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poidhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgdmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkjjdmaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncaklhdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbfdjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhhodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddble32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefjnno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hchqbkkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lefkkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdbnmbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaemilci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odbgdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnnnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbdgec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibgmaqfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhmhpfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbbgicnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mklfjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgqopeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idhiii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Janghmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnnianm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofijnbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfppoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peempn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inidkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kalcik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfiagd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f14c9977a9a99851f3ed6e480f831680N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgfaf32.dll"	Nfiagd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ochamg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ibgmaqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomqdipk.dll"	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmimi32.dll"	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll"	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conkjj32.dll"	Nfnjbdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfbmdabh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbpeafn.dll"	Kkbkmqed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lddble32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpdnm32.dll"	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggociklh.dll"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbfdjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lbebilli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mklfjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdlidhm.dll"	Jaljbmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfiagd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Namegfql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbdgec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hchqbkkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kalcik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mclhjkfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Klddlckd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchfjc32.dll"	Oohkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenlmopg.dll"	Odljjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	f14c9977a9a99851f3ed6e480f831680N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hebcao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denlcd32.dll"	Hchqbkkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnefjjd.dll"	Jhhodg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omclnn32.dll"	Nlefjnno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ohqpjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ohqpjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmhc32.dll"	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjcnl32.dll"	Hbdgec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nlqloo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naapmhbn.dll"	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdjpphi.dll"	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Peempn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caekaaoh.dll"	Madbagif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpqko32.dll"	Mklfjm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 4216	4716	f14c9977a9a99851f3ed6e480f831680N.exe	90
PID 4716 wrote to memory of 4216	4716	f14c9977a9a99851f3ed6e480f831680N.exe	90
PID 4716 wrote to memory of 4216	4716	f14c9977a9a99851f3ed6e480f831680N.exe	90
PID 4216 wrote to memory of 5076	4216	Hbdgec32.exe	91
PID 4216 wrote to memory of 5076	4216	Hbdgec32.exe	91
PID 4216 wrote to memory of 5076	4216	Hbdgec32.exe	91
PID 5076 wrote to memory of 2984	5076	Hebcao32.exe	92
PID 5076 wrote to memory of 2984	5076	Hebcao32.exe	92
PID 5076 wrote to memory of 2984	5076	Hebcao32.exe	92
PID 2984 wrote to memory of 1740	2984	Hgapmj32.exe	93
PID 2984 wrote to memory of 1740	2984	Hgapmj32.exe	93
PID 2984 wrote to memory of 1740	2984	Hgapmj32.exe	93
PID 1740 wrote to memory of 3324	1740	Hbfdjc32.exe	94
PID 1740 wrote to memory of 3324	1740	Hbfdjc32.exe	94
PID 1740 wrote to memory of 3324	1740	Hbfdjc32.exe	94
PID 3324 wrote to memory of 2408	3324	Hchqbkkm.exe	96
PID 3324 wrote to memory of 2408	3324	Hchqbkkm.exe	96
PID 3324 wrote to memory of 2408	3324	Hchqbkkm.exe	96
PID 2408 wrote to memory of 2588	2408	Inidkb32.exe	97
PID 2408 wrote to memory of 2588	2408	Inidkb32.exe	97
PID 2408 wrote to memory of 2588	2408	Inidkb32.exe	97
PID 2588 wrote to memory of 1092	2588	Ibgmaqfl.exe	99
PID 2588 wrote to memory of 1092	2588	Ibgmaqfl.exe	99
PID 2588 wrote to memory of 1092	2588	Ibgmaqfl.exe	99
PID 1092 wrote to memory of 2524	1092	Idhiii32.exe	100
PID 1092 wrote to memory of 2524	1092	Idhiii32.exe	100
PID 1092 wrote to memory of 2524	1092	Idhiii32.exe	100
PID 2524 wrote to memory of 1412	2524	Jaljbmkd.exe	101
PID 2524 wrote to memory of 1412	2524	Jaljbmkd.exe	101
PID 2524 wrote to memory of 1412	2524	Jaljbmkd.exe	101
PID 1412 wrote to memory of 3052	1412	Jlanpfkj.exe	102
PID 1412 wrote to memory of 3052	1412	Jlanpfkj.exe	102
PID 1412 wrote to memory of 3052	1412	Jlanpfkj.exe	102
PID 3052 wrote to memory of 2932	3052	Janghmia.exe	103
PID 3052 wrote to memory of 2932	3052	Janghmia.exe	103
PID 3052 wrote to memory of 2932	3052	Janghmia.exe	103
PID 2932 wrote to memory of 3556	2932	Jhhodg32.exe	104
PID 2932 wrote to memory of 3556	2932	Jhhodg32.exe	104
PID 2932 wrote to memory of 3556	2932	Jhhodg32.exe	104
PID 3556 wrote to memory of 3684	3556	Jdopjh32.exe	106
PID 3556 wrote to memory of 3684	3556	Jdopjh32.exe	106
PID 3556 wrote to memory of 3684	3556	Jdopjh32.exe	106
PID 3684 wrote to memory of 2860	3684	Jnedgq32.exe	107
PID 3684 wrote to memory of 2860	3684	Jnedgq32.exe	107
PID 3684 wrote to memory of 2860	3684	Jnedgq32.exe	107
PID 2860 wrote to memory of 4448	2860	Jhmhpfmi.exe	108
PID 2860 wrote to memory of 4448	2860	Jhmhpfmi.exe	108
PID 2860 wrote to memory of 4448	2860	Jhmhpfmi.exe	108
PID 4448 wrote to memory of 728	4448	Jaemilci.exe	109
PID 4448 wrote to memory of 728	4448	Jaemilci.exe	109
PID 4448 wrote to memory of 728	4448	Jaemilci.exe	109
PID 728 wrote to memory of 2036	728	Jlkafdco.exe	110
PID 728 wrote to memory of 2036	728	Jlkafdco.exe	110
PID 728 wrote to memory of 2036	728	Jlkafdco.exe	110
PID 2036 wrote to memory of 4560	2036	Koimbpbc.exe	111
PID 2036 wrote to memory of 4560	2036	Koimbpbc.exe	111
PID 2036 wrote to memory of 4560	2036	Koimbpbc.exe	111
PID 4560 wrote to memory of 3252	4560	Koljgppp.exe	112
PID 4560 wrote to memory of 3252	4560	Koljgppp.exe	112
PID 4560 wrote to memory of 3252	4560	Koljgppp.exe	112
PID 3252 wrote to memory of 2948	3252	Kkbkmqed.exe	113
PID 3252 wrote to memory of 2948	3252	Kkbkmqed.exe	113
PID 3252 wrote to memory of 2948	3252	Kkbkmqed.exe	113
PID 2948 wrote to memory of 5016	2948	Kalcik32.exe	114

C:\Users\Admin\AppData\Local\Temp\f14c9977a9a99851f3ed6e480f831680N.exe
"C:\Users\Admin\AppData\Local\Temp\f14c9977a9a99851f3ed6e480f831680N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\SysWOW64\Hbdgec32.exe
  C:\Windows\system32\Hbdgec32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\SysWOW64\Hebcao32.exe
    C:\Windows\system32\Hebcao32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\SysWOW64\Hgapmj32.exe
      C:\Windows\system32\Hgapmj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Windows\SysWOW64\Hbfdjc32.exe
        
        C:\Windows\system32\Hbfdjc32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
      - C:\Windows\SysWOW64\Hchqbkkm.exe
        
        C:\Windows\system32\Hchqbkkm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Lefkkg32.exe
        
        C:\Windows\system32\Lefkkg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\Lcjldk32.exe
        
        C:\Windows\system32\Lcjldk32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\Lhgdmb32.exe
        
        C:\Windows\system32\Lhgdmb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\Moalil32.exe
        
        C:\Windows\system32\Moalil32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\Mclhjkfa.exe
        
        C:\Windows\system32\Mclhjkfa.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Mhiabbdi.exe
        
        C:\Windows\system32\Mhiabbdi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:960
        
        C:\Windows\SysWOW64\Mllccpfj.exe
        
        C:\Windows\system32\Mllccpfj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3332
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\Nlefjnno.exe
        
        C:\Windows\system32\Nlefjnno.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        69⤵
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        72⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        77⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        83⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        90⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        91⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4352,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:8
1⤵
PID:5136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dadeofnh.dll

Filesize
7KB

MD5
808d43b0d0628877ce012fa94a1f4aca

SHA1
5869a849bb4399f833129d3127b76de882f1ff45

SHA256
3a335b8cf26ec13fc8f5f2991f570496db8f5a5f57cef66af917cc6b75cefddd

SHA512
d3befd6da4aedb790776ad288d81ac0d36252774810a3904cc1ba8649d76ef4460493c3952e0e4712e92346ef87661e99e8d4fc5472bb27ec5be9e77c75df794

Download Submit
C:\Windows\SysWOW64\Hbdgec32.exe

Filesize
285KB

MD5
6fe3a3ff66e40fa6267da69c75c6f746

SHA1
cf757fd0c8ccc0150344a82799fa3a8a46646a57

SHA256
9e10adb47af995aaf5f61e73395c96b167a8d4150be5e896b94e38a5bd599ef1

SHA512
4efec0a30017de1fbae44c92cba580e437ff7d89d9a989ede72d89708fdd2f40194861f4def9e2d8d02c6a0138edbbec38e7846a615b68554b67633548f43021

Download Submit
C:\Windows\SysWOW64\Hbfdjc32.exe

Filesize
285KB

MD5
71d29d39c4141e2b36a2eccad493389e

SHA1
35fe97b7d320d2ecf10a54b46dad99e7509e99d0

SHA256
8513b68745038789c7b5ff9dc95b5adca8a2ac70c8b2da59330cd75a5810c8ae

SHA512
ca1531ee36308d59278f71c2f7614be3f28845874217927b6846e11fa8d9b3672e0be5ad2efe62412a57b6d77840362fe82052f8af2abd1f933790f89d2ae238

Download Submit
C:\Windows\SysWOW64\Hchqbkkm.exe

Filesize
285KB

MD5
75b7ad7d0926eb8172d13de90dc751f2

SHA1
ac65a2361939f490d17311e62357623f27a6a66c

SHA256
8391864c12663293df906c8cda52bd7a931d4df03475305ce5bc741de893f65e

SHA512
01d22e1ccc1f132312a4a2033c537a606f21b5a6a263f24e27dea11510d63bcfba8d2659aca2a7bbf893ff233524de768e1aaf00af8faa7d3dbf2a0367ff4b45

Download Submit
C:\Windows\SysWOW64\Hebcao32.exe

Filesize
285KB

MD5
f90e72c3f40f7a920aee42312242f967

SHA1
353e7a886108c1f68f6b6a88bb27ddaca5e56a4e

SHA256
12f0d30451dae2ceb620ba5514b996a5256b274a49f30945fb48a0a2e0687446

SHA512
78102bcdaf23625bdbc71611b8fc251b095716acf50d442dde5cfbbe2cd3e9f6f3190802266f7724df19fbcdd34499b66b13e74e855f07ccf16afcb22c8b8b38

Download Submit
C:\Windows\SysWOW64\Hgapmj32.exe

Filesize
285KB

MD5
7720b34b403a86ceabb277ed85a4604d

SHA1
d653acfa49647caab8ac8814b2f5e05dda518777

SHA256
1b0374738a17376334371c9ef7c6cf6c7ab2b1733de2745054f4088294fbe190

SHA512
4259d0d971b46a5472348a5ae545c170b7973d4dcfb04b61bb1088cb3cd8796eaea24ea9db91c73c2a4352b219eb30cd8abc5476fe7c29ca56d38ecfa5c2487b

Download Submit
C:\Windows\SysWOW64\Ibgmaqfl.exe

Filesize
285KB

MD5
cd3419125d0f0fb638d9a14f57fa1f64

SHA1
9a20a522da48c8f1b5d080ecbcf976dad8dfaafb

SHA256
22f5900825d3c10673f2df2335c943b4cd0afaf0e4674ae8b720de07c9d11a93

SHA512
cc3ccdcf45f319c6054e6776e4a6cf850c364ab915225bd92dbf8ffe79e3ecd3e8f40c84a295c5d5fb075ca26e2753f8a9eeec01ae7583b7158d22b04e7abd07

Download Submit
C:\Windows\SysWOW64\Idhiii32.exe

Filesize
285KB

MD5
bd42fcff537b5be7eedaa3df18aaaa41

SHA1
7c22c4868036f66f4cd446adf374704b20d255ad

SHA256
0045ec487e478b8ca852dc19bec01b1ee6e2c57e1c3bcae5c91166107c75f109

SHA512
06b39ebc41519488ec12e66779dd25e5f01018010d5ba3c477de51f519e571d05f9bc56fdd7e7213182390d627e070fb133ce0c3d14641a8b0277b4d80dc6770

Download Submit
C:\Windows\SysWOW64\Inidkb32.exe

Filesize
285KB

MD5
f8de5b6a97f395247359cd7c676f0bed

SHA1
21559c1711ebbd78e1096c998ab9cc1edc08453b

SHA256
da395b6d00c6415160d8adcaf7c8d0044171cde264189cc5d2dfc971cb8fca7b

SHA512
a29c24b4dfca09f1d4b15f3b0cc1c64bcff65dd0af2bb52526102a311ca4466c48c716e48897dc824404647a544135c76a053a66fda81fa556c6d8486cbae017

Download Submit
C:\Windows\SysWOW64\Jaemilci.exe

Filesize
285KB

MD5
c4098f5cffad05fc38c9255da0881ea9

SHA1
0fbcd4c958b7b743a23d22db2fb082e396115dae

SHA256
dc0783043e2f81d3c6d640010f2697c9638184dd3ee9bd0497148c3bebbd0e47

SHA512
e924219ff7721e661fd221becc5a0e3298187336894247a02cd42f2fb7ba2b764f49f9b034fc10f0f7ca8c2eed1a3b2beb1883c695c4864a6160a58063b350d9

Download Submit
C:\Windows\SysWOW64\Jaljbmkd.exe

Filesize
285KB

MD5
4de149332a5ddec385ba1dab15209d59

SHA1
fb75323cddf300a055200fc927ab2cf96b504f9d

SHA256
befc3b83ab2abeb730ef20ffc7c174b858a0a2a987b6d1f9e26f86fb468dc0e7

SHA512
b900eb616870fa15c0b29b5b6bed49a784d5b5ac3cec6a5089d36cd30b3764a889f799ca29c2ecddc5400c6045d6f26aecdfbcb49fbda839f1f828686dec6d0c

Download Submit
C:\Windows\SysWOW64\Janghmia.exe

Filesize
285KB

MD5
b80d9762c62c99acea0e910a0b19a112

SHA1
049336496d04abdd73f9bafc0d517844f9a23e5d

SHA256
c91214683ecf38a2a3396cb4b8649e08904b948d3aa2463949c1fc0943beb01e

SHA512
514ece93080ae22fa857faa4e74868d5b8a30e124100367165d66bfbd928051d1e94efd4cd3f1ab7cc9b484448216481680d7a03b53077fa0b1cdadb36479892

Download Submit
C:\Windows\SysWOW64\Jdopjh32.exe

Filesize
285KB

MD5
7fb249df9dc26164bdc65691c1e38cec

SHA1
47ec417e6b72b8704f7b43bfab273add8bc5cda1

SHA256
2c2b7164067cd063fae4de77bf33a1d7d018d046ba32ead005e654888e1231c0

SHA512
175f1d33326ed4472fa3b67ca6a428d35fc9bdc76d7c9d79345c90272dd357c3b26a02276262122bc1d2729cde745c0a03d2f67cc1c59054a1a979b85f1a141a

Download Submit
C:\Windows\SysWOW64\Jhhodg32.exe

Filesize
285KB

MD5
51e12b1fc10610d059da8ce0f9ed4bd7

SHA1
d0c3feb316ba596faef865d199f8e7b3f1f14729

SHA256
2ec4dcc38edaebdfebcecb8788011357702af923c77f9214b3821196d45263ac

SHA512
3b275ac998a92513de71f5ef6bd0d256742948e4415a57d8123451a762731a25d790da1d3c17551fa4249dbf5d66b0a22bd9ebd8a0b1a9a3a5125114c33dd1b8

Download Submit
C:\Windows\SysWOW64\Jhmhpfmi.exe

Filesize
285KB

MD5
b6d25a491ba2aa8fa35f5944c707c391

SHA1
e89efc417c989bd36f1d974bd1fca006ec654b50

SHA256
c30f1eed5991e99c3e81ac1d2fa781942f00e1862ed053005a0846461bdf4db7

SHA512
47f34204692fb2b10a18e6dbf440dc5b20eb621b8e536362906687b46dbce5dc6ea9a45066edb21e76d7024dcb808d7f0d61f759f00fb3d0f8ff6e698887dfd5

Download Submit
C:\Windows\SysWOW64\Jlanpfkj.exe

Filesize
285KB

MD5
4615017859cb6f1512cbb1214f6eefc8

SHA1
eb0d6db20ea288e1099e46dab93b2a404c2fea84

SHA256
ff811bce22c5828826542846769053bcb9b56a03b4a59b0af992d4f32e12ee08

SHA512
eeff428a02490543b04c1c72a25f1fa7420b4734707c645245a41c59c3ff41683a59b088ebcdd9d870e5a2ed22da83838c9353f24442e595d66a8e4a9b8e6087

Download Submit
C:\Windows\SysWOW64\Jlkafdco.exe

Filesize
285KB

MD5
66c7c440442329a96d2bf5baed4fb6c0

SHA1
06461fe65b3003cbb6dfc2c310b4b0849b8aea9a

SHA256
07164e476391bf29007951b1891feb355bc6bec28b9c2ae44a44aa0361e2a824

SHA512
cc2a8069c506b3635dc6923033ca4f5bdd54bb3fafd4b002d5d3af171652cde6952c539fab2963d18b5e1742b754214aeb42ec323c99ea44574e3a9b8051b293

Download Submit
C:\Windows\SysWOW64\Jnedgq32.exe

Filesize
285KB

MD5
21f9996c86ece641769698a2c6bc5d95

SHA1
edca4cf1e8ffdf58807c7e745df9297baff48ee5

SHA256
a4cefad2f89b63aa24feaa2c4d10b2e107d4e7993dff61fd22c62f08a4740d21

SHA512
23af4b12487aa3df5e20e0f90607a11f0f65b09481959fb7057894252e41e7eed5cc045b7b3592d919637a671d7e329c48c1173d3695aa2fc64b762a37c1611c

Download Submit
C:\Windows\SysWOW64\Kalcik32.exe

Filesize
285KB

MD5
0c445ecf2e70ea3980f656bee7df0bd2

SHA1
71edcac83fc7d11ca6c4249600a007fe0ade68f8

SHA256
1264bd772ff66172a446e0746011fc6263e1cf1dd72e3ce9585d606a5a643d28

SHA512
f6167248649faa938f340af12f16e151b694b94ce2054663f2ba65674ac523c0f9cf745bd1c5f92a9e4fb59ffe101f22a689623919aa4a8c0bffeec6d005fb77

Download Submit
C:\Windows\SysWOW64\Kaopoj32.exe

Filesize
285KB

MD5
75af93caa910e27a123dc269b80f9718

SHA1
d9905cab0e97f217cb779693d129651cb6605cf5

SHA256
350bde6a778b6e1ecf9abcbe13182701639e48172ee9e0728dcdc28504688cd8

SHA512
6d2aaa0efbefb46a811267f54a5cee89d934ba857830d922c37e12bb4888911c608fb0df63d359790b07d30ac8617ffc0b915dbfa222a823b0f55a113f1ec847

Download Submit
C:\Windows\SysWOW64\Kemhei32.exe

Filesize
285KB

MD5
8e664205a74abf4806580ae573094fb5

SHA1
c6ab64312c07bfac4df0a5f0b078884a54bed3c0

SHA256
8347b4473d88a570477c2beba3fefccc8d6df3ecd2b450a572d66f6133a1f62e

SHA512
4705896cf6bd7fec8449bdc03826e6c5d17ace1d07c4901c72c1f22aae601b503e21875a20faa53788cd413a0c10ae71d57ee32e519acb8a77cc93558e04a78d

Download Submit
C:\Windows\SysWOW64\Kkbkmqed.exe

Filesize
285KB

MD5
39276a211e4bbacfdd540087c8cec7eb

SHA1
220a617bd860d214e1effd69c39dd67def880119

SHA256
dc8a439bc86b4fec579978edad76e84dc3d363061a4a911d2b8454c05e49a8bb

SHA512
a954438d3dbd2392c3e9aa2a4d933c0cbf5aa48d04f0e34a802c114890643b42a06a4be63370442730127ddae978a373449b5ea1bcb0da1e3396bbeb7ba49f45

Download Submit
C:\Windows\SysWOW64\Klddlckd.exe

Filesize
285KB

MD5
947b14fdbcb3055baa7e151d97170da2

SHA1
64e3321f2b523c72fb213d1bf02dd41efb604b45

SHA256
fc23c992b8a48ef779238c4a62d8746ac6a5e143fde274d495cd524360f4f0e6

SHA512
aff790af2f2c4fc93c6baff2d188481d158ad14ca4dc16a09eef95947e4bb356736cac0e60691812fdc3efb9b05bcb4fa6f5b1aa6a4d561eb049ab5635247010

Download Submit
C:\Windows\SysWOW64\Koimbpbc.exe

Filesize
285KB

MD5
9b78ede3e0ffe7d74c290868a18ee8b3

SHA1
2d20f432993d3cafd0c7e63c7d9316f2acc2bc15

SHA256
f6e51e5a43ba62632fa95428a2237a14d82b5a2d1f154b3d5bdb6f54999b084a

SHA512
7b9f384e7a5dc1a7225cbc64985ef2e580869e84f73ef0f4854a75467b948047290de9a50cf5d0f4257d79f4ed77e87da544628283dde42b403251f27d61098c

Download Submit
C:\Windows\SysWOW64\Koljgppp.exe

Filesize
285KB

MD5
08be80bc6f44edf72152d865394d2b66

SHA1
2e0a8359cdb1804bfc19b6f8e0d8845d4967e760

SHA256
be47704496f210d2514d65aa3d3babebfa5e0f6f33e3d5e538687d6ea36f6a3d

SHA512
6247875f2f1690806289e16968ac1ff930af1436c863177816e0e0228110dad65749f4134c2e3ce9388c263c1a25066299aa0ae058616fce3a46ae4e4201891b

Download Submit
C:\Windows\SysWOW64\Lbebilli.exe

Filesize
285KB

MD5
f8197d70c32746424e4019e9921b45ad

SHA1
b26aa1be03baf809fb57ebbbf6fdd3a2e8400ce8

SHA256
390c642a4002305ddbc2358227c89e3546f980ddf87706f246f23a93684c7017

SHA512
cb808f6abd446531582cbf85379b5fd5a2656919ea4bd2657fc40498a25b8e8f6707e6ada1a8eb28ac0c48b20b7e783d3bea88a63b6e4ad76964328820963947

Download Submit
C:\Windows\SysWOW64\Lcjldk32.exe

Filesize
285KB

MD5
28ad3297c1ffd08a661792a78a3d6f86

SHA1
693536e30556957acb64df31b92b9de9448c83b4

SHA256
163a7ff7cf0305696211c5e27c5fe8fbb5a29d3bf9f3ed2ce3c1242923e08413

SHA512
89e78f399a0b6948b11289b830719756b4399ae1ea761b1354eb913b0b743e61e37b91bfd29b8b052e9f8d7f3a48318b64d4be39cb0427ddda397a8de91c32b9

Download Submit
C:\Windows\SysWOW64\Ldbefe32.exe

Filesize
285KB

MD5
dfd55d5900b0278c78805bcbcc3b50de

SHA1
feb3711a96f36e90e7d8bc465d16d2cbab3ba333

SHA256
1e3435b81ebb9ff3a0c6d79fa8313d24d487564fa0bd0e198457578d799a4ed3

SHA512
0f62cb7d1c5199fb6bdc654aa9d473f92ecb535f17bd2cf30b550361ba4b59d7ee083a3eff4ca421a82c43554df4a4f96c1d9990d9702cdc44bf431afcb703c5

Download Submit
C:\Windows\SysWOW64\Lddble32.exe

Filesize
285KB

MD5
3b161751c3bcfc6d2c2b83203a490122

SHA1
0b3d0557add5aef49c72fcc7d07c6cd9dd77bf0e

SHA256
4d32a82ee62a7db0f87100fc0c5fd860c29660588c8520dc2796fd07fd2f9a41

SHA512
1f17294b7a309e692862bc5ddca6fc4247e606efdc2ef27661876353c8cb3b53670005d97f28358cbe53197d084248c8964887adfedef6b7e1c39cb53b8b1143

Download Submit
C:\Windows\SysWOW64\Ledoegkm.exe

Filesize
285KB

MD5
96a99cb6676db2a144d3fe49d72463d5

SHA1
5d51a3f178567bb09d9cb22d1c81bb5042847677

SHA256
3691de7a2093ab34fcb337f2153df338aef08e2565a655f1f8ea30a70a83d0b9

SHA512
dcde0334892a349927d994875c57e8fb4872a2aa42e0cf8f47c5865aee999abc2649997b2a42e38540b4ead2c8abcef2b1f4a42231ceab261be62359aafce91e

Download Submit
C:\Windows\SysWOW64\Lefkkg32.exe

Filesize
285KB

MD5
9b9bbbd423490d778c744e4538f0aa9f

SHA1
843ef7cfe4c2693a30a601c1606c2adf48bb1e14

SHA256
ee440c5770a46dab35b381f43c10017a1b45136605d8f0b197e378f8a58559ad

SHA512
61bf4829d6b1d2014bf972667c03a0519545451c43617b8f02d81bb421ec59d66f9d68684340aa0ac747da720ed973b406686f4f7cc6b5c21c693122a62e8328

Download Submit
C:\Windows\SysWOW64\Lhgdmb32.exe

Filesize
285KB

MD5
936b5b1150c92ac0108222e61bc9fc7e

SHA1
e3b343a62c612e14cc01f25048cc2f7c012b53ee

SHA256
969e7ac18d33e192a39bfcf928d611a93ce8c70199b497cf59210660eb9050d1

SHA512
55f63f2beaa524dd0f6d5e623377fd3be717baba27c8fb8f64ea372f5ba9edca8c00e30dad9e1f518e9d14bcdd59a9ccb4b92ed7fcc55c846a1b35e7a219e22f

Download Submit
C:\Windows\SysWOW64\Logicn32.exe

Filesize
285KB

MD5
a71a3ab0e901295efc4bb360128b1a44

SHA1
762ca46b618f423aff7479f3b989c974271ac7c6

SHA256
9c7b215244e789a572ac6f9f9aae29a85bf9150dcf5ffdc43439091c06ae5655

SHA512
1aa6084d13a58f7cf43526900482dd2509e862c351c84864e00138241215dbde7ccb53cfd78f33ddca5456691fefcd89718429d8fab1e84c75231a0460802031

Download Submit
C:\Windows\SysWOW64\Mociol32.exe

Filesize
285KB

MD5
7216b9844ea4198f4b2ce89b2ec697e2

SHA1
87e2d8ff6f9463cf022e68ea5c0ef92021381f7e

SHA256
3c184e5cdd65bc21c1e01796e75fc06e875523db4d41e4eb6a4c6a1df5b55b9a

SHA512
daf12d5bf69437795cb45db9225d6172f99b2e096589385020aba71515d30e18100e37fea6ca8ef49c91063a5481e5519a19d558abd59169d60ca3b5064090c0

Download Submit
C:\Windows\SysWOW64\Nlnpio32.exe

Filesize
285KB

MD5
ceb314573d3e7fddae72c8bad1a1682b

SHA1
b966ccdb5e86ffaccd028845be4531ffdb085305

SHA256
80b2fc11206f38974cd52274492b65f813677eb0100811a3646834a8bb4b1209

SHA512
193d51fd6d0c7e21b758e24ee0f008646e4051cd800ef5f71e6a5a5e538053749a68f410e949cec820243e51ccc50c792905a6bb8d7ab3d5e12e25ca0237fbf5

Download Submit
C:\Windows\SysWOW64\Oloipmfd.exe

Filesize
285KB

MD5
2cecce1821c26d9a75359224c6576574

SHA1
472bcd4afd7706253a0e50b053c200c3f8c58a59

SHA256
53ba583c5ca960b65289e494b612aad68094b1ca0b3d64606aca40bc965ed40e

SHA512
32aca2d32f98611ce9f0b86bcc42c2309d17c7aaf0d2d9c7f87adbe47d40887fd3abcfde9f7ce78578f62967d6d56ba42e44d0e84969f77fd069da84a7e3b00a

Download Submit
C:\Windows\SysWOW64\Peempn32.exe

Filesize
285KB

MD5
865965c1941592db902d1b1af751b70b

SHA1
a0c338d9aa4e9fe20a24f110f50225e11f91a806

SHA256
482e5a5cb932a9e2bb30257943115de79351debbd487622fec099160d4d75f8a

SHA512
83d6c871a63ad0cd04e0721178cf85e8c7735b3b6b999e1831f6fe07753c9ce2e5a5732c115acdf149d56d8c6d7160add316c33e0162e819e4d4641be767e8fd

Download Submit
C:\Windows\SysWOW64\Pfppoa32.exe

Filesize
285KB

MD5
b0faa5a6ac51682a8cc68cced6959a95

SHA1
a1ffa6678272ec75831595629d0d072bc1b0ee53

SHA256
01ada0d23162afaf1491c939288c94033121155edeea0abfe40eaf9b102be5d0

SHA512
21c4114a5ef1329a0e7a586808ef6d4fe0c1ae3db65dbb3d90afeb24c55ca81144486168645e4d438d4a75ba9aee026fcdb0d64a95cf86b5d2ecff19fca33233

Download Submit
C:\Windows\SysWOW64\Qihoak32.exe

Filesize
285KB

MD5
449ed031c0e37fcf9104613da14fc550

SHA1
f9b2a79ec7cbc0e3a2d78470b5dc9afe4b5ad0e6

SHA256
52d847d8f5d496393c126578f5c4501de00617a633bd922edaf808beca6bf857

SHA512
f4b1cf63a3564f8c6855ba6019996b5994c5638fabfebb9a2ce4d96fb0af217d8f949cb4c565e1846c03b1d9f7a0f6f8b025703d8f403a9e72c078b537f0f698

Download Submit
memory/548-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/616-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-695-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/728-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-696-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-699-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-698-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-697-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-693-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-694-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5128-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5176-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5212-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5288-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5324-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5368-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5408-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5448-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5488-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5528-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5568-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5612-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5656-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5700-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5756-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5800-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5852-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5908-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5996-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads