dbb30104dbe5ef176592378a2d30ac4fc29e42dc070dd8571b44951278c60e7c

Analysis

max time kernel
113s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

814e3d275773e45940366dccac4b5a00N.exe
Size

72KB
MD5

814e3d275773e45940366dccac4b5a00
SHA1

4e1cb776a839035c867074c3f975a244541bbb03
SHA256

dbb30104dbe5ef176592378a2d30ac4fc29e42dc070dd8571b44951278c60e7c
SHA512

8ef1e15bb8b8a0096e7e1a6c935cdbacb86ab080274c97d7881242da628809b1c011f0cd0674a2d16595b9ca4cadf844c49c13c1345b559a7eb62cdb209959e9
SSDEEP

1536:JMNw2565a13qRTp/wM91TuBVWCPgUN3QivEtA:+Nw2gJ9/r91wV3PgU5QJA

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpegkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khlklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpakj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfepdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jahqiaeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpiqfima.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klpakj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modpib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmkofa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klekfinp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lllagh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lckboblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Momcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khbiello.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofegni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqhfoebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Joekag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcjjhdjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhenai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqoefand.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppgomnai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piapkbeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kabcopmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lancko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjnnbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	814e3d275773e45940366dccac4b5a00N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mljmhflh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pidlqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllagh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmodajm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjnnbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhckcgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njedbjej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllhpkfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllhpkfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofegni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfagighf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfepdg32.exe

Executes dropped EXE 64 IoCs

pid	Process
1748	Joekag32.exe
1708	Jikoopij.exe
1112	Jpegkj32.exe
4200	Jeapcq32.exe
3532	Jllhpkfk.exe
3044	Jahqiaeb.exe
3952	Khbiello.exe
3424	Kpiqfima.exe
3540	Kakmna32.exe
2560	Klpakj32.exe
2612	Kcjjhdjb.exe
4600	Keifdpif.exe
2800	Kcmfnd32.exe
3760	Klekfinp.exe
2544	Kabcopmg.exe
3084	Khlklj32.exe
3480	Lepleocn.exe
2080	Lpepbgbd.exe
4064	Lebijnak.exe
3724	Lllagh32.exe
3900	Ljpaqmgb.exe
4228	Lomjicei.exe
1976	Lakfeodm.exe
3692	Lhenai32.exe
1176	Lckboblp.exe
1916	Lancko32.exe
3668	Lhgkgijg.exe
2008	Lcmodajm.exe
3644	Mfkkqmiq.exe
2476	Modpib32.exe
2984	Mjidgkog.exe
3632	Mofmobmo.exe
4836	Mfpell32.exe
4272	Mljmhflh.exe
3928	Mpeiie32.exe
1960	Mjnnbk32.exe
4236	Mhanngbl.exe
3204	Mqhfoebo.exe
3376	Mhckcgpj.exe
4900	Mqjbddpl.exe
2944	Momcpa32.exe
2084	Noppeaed.exe
2960	Njedbjej.exe
1120	Nhhdnf32.exe
880	Nbphglbe.exe
1004	Njgqhicg.exe
4212	Ncpeaoih.exe
1344	Nimmifgo.exe
3116	Ncbafoge.exe
1560	Njljch32.exe
4220	Nqfbpb32.exe
3504	Ofckhj32.exe
212	Oiagde32.exe
748	Objkmkjj.exe
4492	Ofegni32.exe
764	Oiccje32.exe
3252	Oqklkbbi.exe
2796	Oblhcj32.exe
4908	Ofgdcipq.exe
3104	Oifppdpd.exe
3052	Oqmhqapg.exe
2180	Ockdmmoj.exe
1500	Ofjqihnn.exe
3720	Oihmedma.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eiidnkam.dll	Kcjjhdjb.exe
File created	C:\Windows\SysWOW64\Ilnjmilq.dll	Mpeiie32.exe
File opened for modification	C:\Windows\SysWOW64\Oihmedma.exe	Ofjqihnn.exe
File created	C:\Windows\SysWOW64\Pfhmjf32.exe	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Jikoopij.exe	Joekag32.exe
File created	C:\Windows\SysWOW64\Mhckcgpj.exe	Mqhfoebo.exe
File opened for modification	C:\Windows\SysWOW64\Mhckcgpj.exe	Mqhfoebo.exe
File created	C:\Windows\SysWOW64\Omfekbdh.exe	Oflmnh32.exe
File opened for modification	C:\Windows\SysWOW64\Khbiello.exe	Jahqiaeb.exe
File opened for modification	C:\Windows\SysWOW64\Kcmfnd32.exe	Keifdpif.exe
File created	C:\Windows\SysWOW64\Lhenai32.exe	Lakfeodm.exe
File opened for modification	C:\Windows\SysWOW64\Lckboblp.exe	Lhenai32.exe
File created	C:\Windows\SysWOW64\Lhgkgijg.exe	Lancko32.exe
File created	C:\Windows\SysWOW64\Qckcba32.dll	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Njedbjej.exe	Noppeaed.exe
File created	C:\Windows\SysWOW64\Ghaeocdd.dll	Oiagde32.exe
File created	C:\Windows\SysWOW64\Pkffgpdd.dll	Khbiello.exe
File opened for modification	C:\Windows\SysWOW64\Pcpnhl32.exe	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Paihlpfi.exe	Piapkbeg.exe
File created	C:\Windows\SysWOW64\Lfgnho32.dll	Pciqnk32.exe
File opened for modification	C:\Windows\SysWOW64\Keifdpif.exe	Kcjjhdjb.exe
File opened for modification	C:\Windows\SysWOW64\Oqklkbbi.exe	Oiccje32.exe
File opened for modification	C:\Windows\SysWOW64\Lhenai32.exe	Lakfeodm.exe
File created	C:\Windows\SysWOW64\Omdieb32.exe	Oihmedma.exe
File created	C:\Windows\SysWOW64\Icbcjhfb.dll	Ocnabm32.exe
File opened for modification	C:\Windows\SysWOW64\Kcjjhdjb.exe	Klpakj32.exe
File created	C:\Windows\SysWOW64\Nnndji32.dll	Oiccje32.exe
File created	C:\Windows\SysWOW64\Ofjqihnn.exe	Ockdmmoj.exe
File created	C:\Windows\SysWOW64\Hlhmjl32.dll	Ppikbm32.exe
File opened for modification	C:\Windows\SysWOW64\Mofmobmo.exe	Mjidgkog.exe
File created	C:\Windows\SysWOW64\Cnaqob32.dll	Njedbjej.exe
File created	C:\Windows\SysWOW64\Klndfknp.dll	Ncpeaoih.exe
File opened for modification	C:\Windows\SysWOW64\Pcgdhkem.exe	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Jahqiaeb.exe	Jllhpkfk.exe
File created	C:\Windows\SysWOW64\Kcmfnd32.exe	Keifdpif.exe
File created	C:\Windows\SysWOW64\Jicchk32.dll	Ljpaqmgb.exe
File created	C:\Windows\SysWOW64\Cgogbi32.dll	Lckboblp.exe
File created	C:\Windows\SysWOW64\Modpib32.exe	Mfkkqmiq.exe
File created	C:\Windows\SysWOW64\Bihice32.dll	Oqmhqapg.exe
File created	C:\Windows\SysWOW64\Joekag32.exe	814e3d275773e45940366dccac4b5a00N.exe
File opened for modification	C:\Windows\SysWOW64\Mfpell32.exe	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Kaadlo32.dll	Momcpa32.exe
File opened for modification	C:\Windows\SysWOW64\Jikoopij.exe	Joekag32.exe
File opened for modification	C:\Windows\SysWOW64\Kakmna32.exe	Kpiqfima.exe
File opened for modification	C:\Windows\SysWOW64\Nimmifgo.exe	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Pabcflhd.dll	Lebijnak.exe
File opened for modification	C:\Windows\SysWOW64\Mhanngbl.exe	Mjnnbk32.exe
File created	C:\Windows\SysWOW64\Lnpckhnk.dll	Nhhdnf32.exe
File created	C:\Windows\SysWOW64\Agolng32.dll	Oifppdpd.exe
File created	C:\Windows\SysWOW64\Khlklj32.exe	Kabcopmg.exe
File opened for modification	C:\Windows\SysWOW64\Mljmhflh.exe	Mfpell32.exe
File opened for modification	C:\Windows\SysWOW64\Mjnnbk32.exe	Mpeiie32.exe
File opened for modification	C:\Windows\SysWOW64\Njgqhicg.exe	Nbphglbe.exe
File created	C:\Windows\SysWOW64\Ogmeemdg.dll	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Oqmhqapg.exe	Oifppdpd.exe
File created	C:\Windows\SysWOW64\Npakijcp.dll	Mjidgkog.exe
File created	C:\Windows\SysWOW64\Gbhibfek.dll	Pfepdg32.exe
File opened for modification	C:\Windows\SysWOW64\Lomjicei.exe	Ljpaqmgb.exe
File opened for modification	C:\Windows\SysWOW64\Lancko32.exe	Lckboblp.exe
File created	C:\Windows\SysWOW64\Noppeaed.exe	Momcpa32.exe
File opened for modification	C:\Windows\SysWOW64\Ofjqihnn.exe	Ockdmmoj.exe
File opened for modification	C:\Windows\SysWOW64\Njedbjej.exe	Noppeaed.exe
File opened for modification	C:\Windows\SysWOW64\Lhgkgijg.exe	Lancko32.exe
File opened for modification	C:\Windows\SysWOW64\Njljch32.exe	Ncbafoge.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5876	5780	WerFault.exe	180

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jahqiaeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khbiello.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnabm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbkml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mljmhflh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofckhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oihmedma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppikbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidlqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllhpkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcjjhdjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kabcopmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhanngbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiccje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfagighf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhenai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lancko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modpib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njedbjej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njljch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqmhqapg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omdieb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikoopij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keifdpif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klekfinp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljpaqmgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmodajm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjnnbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpeaoih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqfbpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Objkmkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflmnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omfekbdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpegkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lckboblp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhckcgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockdmmoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeapcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpiqfima.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpakj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpepbgbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noppeaed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	814e3d275773e45940366dccac4b5a00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqklkbbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piapkbeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khlklj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepleocn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgkgijg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Momcpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piocecgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Joekag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcmfnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllagh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofmobmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqhfoebo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiagde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oifppdpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pififb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lakfeodm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfkkqmiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njgqhicg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nimmifgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofjqihnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pakdbp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gflonn32.dll"	Oihmedma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaidib32.dll"	Oflmnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcpgp32.dll"	Mqhfoebo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqmhqapg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khlklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfgko32.dll"	Lepleocn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiidnkam.dll"	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabcflhd.dll"	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpemfc32.dll"	Lllagh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glllagck.dll"	Lakfeodm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Momcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	814e3d275773e45940366dccac4b5a00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdjokcd.dll"	Kabcopmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgogbi32.dll"	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejeak32.dll"	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jikoopij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcomn32.dll"	Lcmodajm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfigmnlg.dll"	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holpib32.dll"	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpegkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jllhpkfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppgomnai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcjjhdjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anafep32.dll"	Modpib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpegkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kabcopmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jahqiaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicchk32.dll"	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pencqe32.dll"	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofjqihnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oihmedma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmodajm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhmjl32.dll"	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hanpdgfl.dll"	Kpiqfima.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqpnq32.dll"	Mhckcgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpepbgbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhgkgijg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deaiemli.dll"	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhenai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maenpfhk.dll"	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iheocj32.dll"	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohjfifo.dll"	Pcgdhkem.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1748	624	814e3d275773e45940366dccac4b5a00N.exe	88
PID 624 wrote to memory of 1748	624	814e3d275773e45940366dccac4b5a00N.exe	88
PID 624 wrote to memory of 1748	624	814e3d275773e45940366dccac4b5a00N.exe	88
PID 1748 wrote to memory of 1708	1748	Joekag32.exe	89
PID 1748 wrote to memory of 1708	1748	Joekag32.exe	89
PID 1748 wrote to memory of 1708	1748	Joekag32.exe	89
PID 1708 wrote to memory of 1112	1708	Jikoopij.exe	90
PID 1708 wrote to memory of 1112	1708	Jikoopij.exe	90
PID 1708 wrote to memory of 1112	1708	Jikoopij.exe	90
PID 1112 wrote to memory of 4200	1112	Jpegkj32.exe	91
PID 1112 wrote to memory of 4200	1112	Jpegkj32.exe	91
PID 1112 wrote to memory of 4200	1112	Jpegkj32.exe	91
PID 4200 wrote to memory of 3532	4200	Jeapcq32.exe	92
PID 4200 wrote to memory of 3532	4200	Jeapcq32.exe	92
PID 4200 wrote to memory of 3532	4200	Jeapcq32.exe	92
PID 3532 wrote to memory of 3044	3532	Jllhpkfk.exe	94
PID 3532 wrote to memory of 3044	3532	Jllhpkfk.exe	94
PID 3532 wrote to memory of 3044	3532	Jllhpkfk.exe	94
PID 3044 wrote to memory of 3952	3044	Jahqiaeb.exe	95
PID 3044 wrote to memory of 3952	3044	Jahqiaeb.exe	95
PID 3044 wrote to memory of 3952	3044	Jahqiaeb.exe	95
PID 3952 wrote to memory of 3424	3952	Khbiello.exe	96
PID 3952 wrote to memory of 3424	3952	Khbiello.exe	96
PID 3952 wrote to memory of 3424	3952	Khbiello.exe	96
PID 3424 wrote to memory of 3540	3424	Kpiqfima.exe	97
PID 3424 wrote to memory of 3540	3424	Kpiqfima.exe	97
PID 3424 wrote to memory of 3540	3424	Kpiqfima.exe	97
PID 3540 wrote to memory of 2560	3540	Kakmna32.exe	98
PID 3540 wrote to memory of 2560	3540	Kakmna32.exe	98
PID 3540 wrote to memory of 2560	3540	Kakmna32.exe	98
PID 2560 wrote to memory of 2612	2560	Klpakj32.exe	100
PID 2560 wrote to memory of 2612	2560	Klpakj32.exe	100
PID 2560 wrote to memory of 2612	2560	Klpakj32.exe	100
PID 2612 wrote to memory of 4600	2612	Kcjjhdjb.exe	101
PID 2612 wrote to memory of 4600	2612	Kcjjhdjb.exe	101
PID 2612 wrote to memory of 4600	2612	Kcjjhdjb.exe	101
PID 4600 wrote to memory of 2800	4600	Keifdpif.exe	102
PID 4600 wrote to memory of 2800	4600	Keifdpif.exe	102
PID 4600 wrote to memory of 2800	4600	Keifdpif.exe	102
PID 2800 wrote to memory of 3760	2800	Kcmfnd32.exe	103
PID 2800 wrote to memory of 3760	2800	Kcmfnd32.exe	103
PID 2800 wrote to memory of 3760	2800	Kcmfnd32.exe	103
PID 3760 wrote to memory of 2544	3760	Klekfinp.exe	104
PID 3760 wrote to memory of 2544	3760	Klekfinp.exe	104
PID 3760 wrote to memory of 2544	3760	Klekfinp.exe	104
PID 2544 wrote to memory of 3084	2544	Kabcopmg.exe	105
PID 2544 wrote to memory of 3084	2544	Kabcopmg.exe	105
PID 2544 wrote to memory of 3084	2544	Kabcopmg.exe	105
PID 3084 wrote to memory of 3480	3084	Khlklj32.exe	106
PID 3084 wrote to memory of 3480	3084	Khlklj32.exe	106
PID 3084 wrote to memory of 3480	3084	Khlklj32.exe	106
PID 3480 wrote to memory of 2080	3480	Lepleocn.exe	108
PID 3480 wrote to memory of 2080	3480	Lepleocn.exe	108
PID 3480 wrote to memory of 2080	3480	Lepleocn.exe	108
PID 2080 wrote to memory of 4064	2080	Lpepbgbd.exe	109
PID 2080 wrote to memory of 4064	2080	Lpepbgbd.exe	109
PID 2080 wrote to memory of 4064	2080	Lpepbgbd.exe	109
PID 4064 wrote to memory of 3724	4064	Lebijnak.exe	110
PID 4064 wrote to memory of 3724	4064	Lebijnak.exe	110
PID 4064 wrote to memory of 3724	4064	Lebijnak.exe	110
PID 3724 wrote to memory of 3900	3724	Lllagh32.exe	111
PID 3724 wrote to memory of 3900	3724	Lllagh32.exe	111
PID 3724 wrote to memory of 3900	3724	Lllagh32.exe	111
PID 3900 wrote to memory of 4228	3900	Ljpaqmgb.exe	112

C:\Users\Admin\AppData\Local\Temp\814e3d275773e45940366dccac4b5a00N.exe
"C:\Users\Admin\AppData\Local\Temp\814e3d275773e45940366dccac4b5a00N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\Joekag32.exe
  C:\Windows\system32\Joekag32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\Jikoopij.exe
    C:\Windows\system32\Jikoopij.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\SysWOW64\Jpegkj32.exe
      C:\Windows\system32\Jpegkj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4200
      - C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Lllagh32.exe
        
        C:\Windows\system32\Lllagh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        41⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1120
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        59⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3412
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2924
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        81⤵
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        86⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 400
        88⤵
        Program crash
        
        PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8
1⤵
PID:5616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5780 -ip 5780
1⤵
PID:5852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jahqiaeb.exe

Filesize
72KB

MD5
f7a95151a2a5dadec947d5945a99ebc1

SHA1
072cdd4cf1dc45e523562eaf46b0ad0c09d4885b

SHA256
2b78cec8983affcb4f5d1f9a97776d8831a33b323aeda9b98653669ccefc5ffd

SHA512
faccd79f9f4f4a651f697d4cf60da948a7855108784c032e368b9a150b6de45b5ef52f86243a0459686bd1cf3d94b6ff428c0fa0e63956686a357b08d45181b2

Download Submit
C:\Windows\SysWOW64\Jeapcq32.exe

Filesize
72KB

MD5
fb7452e1e39be753a52da845897f2541

SHA1
70513d22261b30cd5d2ff8ca0cfdd5b1e7084a84

SHA256
4c25413258e35ffe71018e5476f73770b014b305eb6367cdff6d6123e060531c

SHA512
15f25be86eb111271092ae7a09fdfa989dc0c20d1ac1ad9545f46281a3c77a3773be570ecd3ef8db177a9004bbf37a4839531e8e63dfd3f5a7f7ace4aca71787

Download Submit
C:\Windows\SysWOW64\Jikoopij.exe

Filesize
72KB

MD5
46d3013f03bc4c0e1e61f423557f189d

SHA1
68ea9c8c4dd096ee1daa77f5af2ee4eb9980528b

SHA256
d6aa609914af78615bc26812e1eb39618f0f21fcd5e8eb2008c7c4f0d2b798c2

SHA512
cd06d000cfe0d8d03289935d02203d19448c330d0231786185eba2d1eb2f4a3d59825c647d630b9ce18a98ea0b1e514c06fccf085e6d54424ffed4a36c271964

Download Submit
C:\Windows\SysWOW64\Jllhpkfk.exe

Filesize
72KB

MD5
4fb357bfd8208effed1772be13af3d21

SHA1
1a208c50ee0b2ae3b3e936f8c1a0b3bdfb0566c7

SHA256
3c9bc9e700e923fdb1bf8c2bf7f991f05bc5e5f8e2d30d1d49ea3759d7c6c281

SHA512
3fbeda1756b3511cdb800f7c9409e02602ed763a6192879a08793537a3e86bd732fb2034ce3572367a25fa15aa1a1db19f9dcb6e82e8f1c2184aef8fe1b2dba0

Download Submit
C:\Windows\SysWOW64\Joekag32.exe

Filesize
72KB

MD5
3311ab84f3d39f0e2edce0f4172f5f2a

SHA1
28ac444a1691d33dba4e51b3e4f54c602bb2d145

SHA256
a6ef90fd635cd1a455bf1cb782d5c117621e57da7f178b51661dc690d22da464

SHA512
7602d12b76d8ffdf013555737e8292d1c43c2d45f7f0ba3ece58dcece3771a8bc5031f5d90cb0674224df798083152bab38f8028b794a3523f101bf2ce70eec4

Download Submit
C:\Windows\SysWOW64\Jpegkj32.exe

Filesize
72KB

MD5
6b8ce8f674beacc268d561bbd75afe86

SHA1
d062eedbb094f610242e343e44b378ab37e2aa07

SHA256
7921a098137d71efc48198350a424e9c34939a08a92e9cfd3077a3f680923e47

SHA512
3948c60fd3fb59f89043796c05f9cae8edb580cb5c9e03a2de470b8ad1824ac86420faafd03ae243117f0455b9fecff75fc0bc71c10318b1394f724e557be83f

Download Submit
C:\Windows\SysWOW64\Kabcopmg.exe

Filesize
72KB

MD5
cf15caa3cb97f981d6f99be45b7023d3

SHA1
deb142fc88b04640a3c5f414092e755dd9e12d84

SHA256
009ff9e01b773a48ba3bec605738648a2174192d9d810fd0118a1b66027850e5

SHA512
8c0eff2ee61153743923934d04cde26a4ee2f13c27d29e73255839b9646f30303624d8c9dd7af5197a7baba0d79385f195220e647982de0c6d8ac60c5eaa4760

Download Submit
C:\Windows\SysWOW64\Kakmna32.exe

Filesize
72KB

MD5
01a429054f4f58ecf5c003962cf676de

SHA1
35aea52a7391fa1f01c475a55eeea8890c4ab994

SHA256
8b52df19b5a584a9a7302aff3bf24b0b6c9a8db67c81df69aec62bfe163c69f7

SHA512
aa5fabc43112be9f31a6bf100dbaf4bbee51aa317351e59d8071ac5291bcf212df4ff19b599f69ef1afa082b4d3a456f7c192edf0f9c1c593f050e4dfb1ba2a8

Download Submit
C:\Windows\SysWOW64\Kcjjhdjb.exe

Filesize
72KB

MD5
3b40b2d92a4611c926614b35d36fba6f

SHA1
1f6c54f601e2e5c648b616af32cc2963be21ea89

SHA256
a4ba0e3ec5a4d5b74da82c6764940240ff2bc3321799d58fda9de0a955972d18

SHA512
1a1f7cf775ad5b2e6aacacb9434200b0c1f3737f889c9855a1756a2ed21a6468768ddfa2dae038871c68b2b5d04a7aff1ad3a86693633ca91ac858e113e896b5

Download Submit
C:\Windows\SysWOW64\Kcmfnd32.exe

Filesize
72KB

MD5
d1fa65dfa2ca16ec1dcb393118733103

SHA1
ca83dd5fba40357ec0cef12f0e704b21a7d29ee3

SHA256
6751ef7bf0f3073898f7beb51a4535602923ee73672fa9f67bae105437f9fd68

SHA512
6b656eba8902435b1689500c5eeff14180914b3c007169fcd784262012e870552b93c1c8795ff2bb189219a8f9733407d7eb6072bb48a1d9b964881a709b2e42

Download Submit
C:\Windows\SysWOW64\Keifdpif.exe

Filesize
72KB

MD5
d6495fc862891d0d5bc1423226621f0c

SHA1
9f3f2cc258026f50d6dc3a12c357c622ca0eef06

SHA256
ac0eff67b8d1c52b0538b2431ae1abc695a42b6fac16654e865e9235a1f30a01

SHA512
8a6d7c487f6f6f54e740ff8cfa861ce7ea2cef22601a17f771deb556950a3cc8ad8b03df6aaff609d90dcf5d8b9137251709c78dc03dbd33998849878c9a6171

Download Submit
C:\Windows\SysWOW64\Khbiello.exe

Filesize
72KB

MD5
372487fe86b3560a347a27811d4671a5

SHA1
4ebf016d6673c8ba90e9a964063abbb4561c5704

SHA256
8566111892f48ad64d5cd9fb8176900fb4c9850641374b0ec8780d0cab499172

SHA512
da236dd3887d2aeb06491f8e32e0fc57914df9930a68a3bc7c91259f3fdce60371c026785c7d1a495fc72ca1e9073fae56af3a86b11a5c63fcd05c82d81b3501

Download Submit
C:\Windows\SysWOW64\Khlklj32.exe

Filesize
72KB

MD5
951364845570eae50d66386dfbf03771

SHA1
129c85978e64d91c8a8e5d06ed64ef0a29443f73

SHA256
7683d866e6021721dd21f14cadc43c7312e97e187ec283cd7b44d3ad324ee426

SHA512
e6b0375ec02c9829cfa7d7c3fa5436da8786d8221843c53073de7f76469896e1daa10c1b38ea341de305d7cd798985f2ed8f066daccf05beb85371078bb58ed7

Download Submit
C:\Windows\SysWOW64\Klekfinp.exe

Filesize
72KB

MD5
cade75a78f73eb20d1ca8d8c17f18bb9

SHA1
f9959779e166264cfa92755fed8afbfac2f3474d

SHA256
f430c8dace13f05bad9c0d6ca56d57691df505241d65ed6b205b850bfb462766

SHA512
d44650a232e074947daf5db375dd549a558e559faa86026e37fd7d58c2358faf0631850f457c7cb18177de20040a88e8450b072683d49aa29fd73fdcd3c977d8

Download Submit
C:\Windows\SysWOW64\Klpakj32.exe

Filesize
72KB

MD5
89bd97e7f421f97f9064e39134f7de2f

SHA1
b9a821b09e803645e673c9c2c084b55ad5053977

SHA256
41d1e20225e7a3319f9ad434b7a72cb521791af5a965b3a5a7b7271ae81085d9

SHA512
f4eada10c448b37eceb48b2cf78dd5828900738fe77ac162a5eb6a19e906b91b94a6e754e7834686c748a6102cdba9014223d28a9fa7694cf6c61aad1fc5ee58

Download Submit
C:\Windows\SysWOW64\Kpiqfima.exe

Filesize
72KB

MD5
304d1aee2c5bdf4abcaa4cefd0655365

SHA1
cc6e59fce09c4661e4a71818f2e3bcdd23b39a57

SHA256
d4b73c22e737733b6f7f2789ba689ad0f9856c6d4243f5b972037ae005327c1b

SHA512
d608a3689502ba35f7e44ed040cadac26f65e53f6b81dd45fc1ca8c897d8496683e0f7026da6320c0a9bb7ab0dcd1b177e4a7bf5245bc2623f1431a12fac56d6

Download Submit
C:\Windows\SysWOW64\Lakfeodm.exe

Filesize
72KB

MD5
36b8a6ebe6c16b452100876ddba01fe3

SHA1
4088866514eaf3b1c8e2d4af8825b566047abb70

SHA256
76218e86e417d6b219f5cf7ff6c8553976e28a24d4678c1dfa072f88f7567d55

SHA512
e33a0ca9bca8ce75f8e5219bf3575740e065a49f219d42b9a3e7dbacd8ab6e50e09aabf516fefd08a10becccb56491a90e0c5c38cf6fe77edc528cde0c8c5b4a

Download Submit
C:\Windows\SysWOW64\Lancko32.exe

Filesize
72KB

MD5
3e2f081ed004490ec2cde56fbe915252

SHA1
a002029645ca35bb5345f8dbf19fdb253780c07c

SHA256
77e3f4bc9a26177ae43100ddf5ba88e2a10db9eb99871109ac1def8ddff5b586

SHA512
7d59343cc43749b5169c7d82a88f6d2709f8e65be8a6ac103cf2ef80caa0818480705cca1dc3b4ad259725ad5bf8de11798b8a0fa1904905c6e8fc262f48fc17

Download Submit
C:\Windows\SysWOW64\Lckboblp.exe

Filesize
72KB

MD5
4dd2ae85438abbfcc1fa93c38fc43965

SHA1
04991ccf478123bc6448947c7d229e835a6b2236

SHA256
8cb3f0c60982a37d7feec8f11a3f35684b1233f7b824ce90985bf23eb94a36d6

SHA512
09fbf8422f512062e22b8b52216f4372530b46ae208fc26aeb8948ac879461ce2bfddf308eee6e2ab7136a3d44bef3309696a3a36f9a97cd5b986cf9a1eb4c70

Download Submit
C:\Windows\SysWOW64\Lcmodajm.exe

Filesize
72KB

MD5
858634a81e125ebc4bd987b21ba4b710

SHA1
78fd5c509e0a93bcccc8a9120cf8801ebf66c0c1

SHA256
e57141cbbda582549d058c9b14c261d3b8a350852837ef1a85cf14e7c7efca93

SHA512
8f4ffcbe85500b6e95201015b6b59a32925ddecbab6d291dc1e1ebe174fb5110b04162d87b2963712dc8a77e558e728040b701f166f3e6c19178ca842fc7d635

Download Submit
C:\Windows\SysWOW64\Lebijnak.exe

Filesize
72KB

MD5
b27e6797d957f4176affa7d1ddfa160e

SHA1
3cdb7deca7cede3c76b82bcf16846ac3f8e437f8

SHA256
b683213069e4e0127ffc35cd02a69818f225cdf17b5516755dd85544752142e1

SHA512
5379027db932b81c445f78dcd0cf3e7594b7be918ad4374ffcb2aa769ce1fdfc507c5a69f29d0f1a9102060231532b6f757b468fde09cf493753a41fd4c5e122

Download Submit
C:\Windows\SysWOW64\Lepleocn.exe

Filesize
72KB

MD5
fad50e734141d1fc4a9ce79bea4033d8

SHA1
76c1bb0bf2084bf3c09a4929ddbb6968dfa0a3c5

SHA256
919eb7fa3902382292d11b2bb4c13afd84254523777d7937852bc82513d605cc

SHA512
1582bedf8298be7219a52594b19eb3edfb6190ffb1f06c0f7fecf22a83247a283e721d3a5cc52bcb47ca0f7b03c1a4aa6bc8bf3b4141fa8a4bf725fcc8583681

Download Submit
C:\Windows\SysWOW64\Lhenai32.exe

Filesize
72KB

MD5
c6b911f336fe5074a5925b83139452ba

SHA1
45d365b27cb3ddc3da3e4896845e749f77fa7a1b

SHA256
a81788a792bd6df104dbd9ea6af6e0c5fd096694df026dd6558babb6ed015bff

SHA512
e94ca13a6274d3cc71ef22bfddfb31095f401b9c3d4f36c7d49842c3d450ec5561ab1e29b2bbd18687962aec924f192df77ea5b16384d4b98530de777ff674b8

Download Submit
C:\Windows\SysWOW64\Lhgkgijg.exe

Filesize
72KB

MD5
7a1bcdf2709b514087806b71af0da31b

SHA1
35aa38c46b1bf08688ef789013d445f0d2bdfda1

SHA256
392b366445241db52b6d35ab00b9ecfed1d738935111b814be0ea1995fc48290

SHA512
a8fa668e32831903d286a1748d1750029d34cb911140ae37917d7f9573e82e04aefb9203d1f3ebdc420c7eb389e92d24e2d51907fe06d645584436986ef717a4

Download Submit
C:\Windows\SysWOW64\Ljpaqmgb.exe

Filesize
72KB

MD5
023e3bfe69ffc44a71396e572d7bfcba

SHA1
b16c2b508e0719436217da3758ae5ed1b716352c

SHA256
abeaa6fae6aebe9f58e4d13fcb9c3e93b3dd77806f1e9397f25210eb5223c376

SHA512
8adb1cb42151f568fc29a5c9a270670401e59417d2c33fc3b7d2f058083b0fcb537aff6d590665948bcbdd9d7836446ac06b354c6e50feb9f142f2047477c40d

Download Submit
C:\Windows\SysWOW64\Lllagh32.exe

Filesize
72KB

MD5
f3d30df816a5a288237da97228de5e7f

SHA1
60b4a9af63b5cfcf47a14905afad74313182116d

SHA256
e70480e8c885273bd01560f68a0ac6c1f6bda14f95d8d36168ff2752399392bd

SHA512
553b17f9d0e6d651f34d41d12f9160939fb3fbda1091b76c3751216253f001a0beae9015e6e13c48e3d06cb76529bd995204bffb2596101b195500e94bdf0c8d

Download Submit
C:\Windows\SysWOW64\Lomjicei.exe

Filesize
72KB

MD5
2b1428f7af09d0596149faec4524f04b

SHA1
755be1d65ce95aae4e525a8e440b6b983fc4e846

SHA256
3813562b7c968fa48f4f94bfa9d2215f2dfd278b40e06610f8dddea18330d4e7

SHA512
7a45280a669d1145efd6b5236b7a421470b1d2a09f26444a004405356bf6559c487abc7bc74169046e84728271c1f684579a09f22d5ca0e1ab4dcd4795e1a571

Download Submit
C:\Windows\SysWOW64\Lpepbgbd.exe

Filesize
72KB

MD5
466daef6f7196a17b640978e4a473304

SHA1
1cc56562c9856e9bce3c41830098150edfc1e00e

SHA256
75cf8ed80c9125fb61ca554107009c93f0d78d1b9fba747177176b4ad6256f74

SHA512
690630b5740dbafabbd732bf00ea6ffbee56498b02113b1e81e460c3254ceb5622f0a2e7ff1f14d50b16030217ac85d69a728ca0fa0045ce061f84ad46c98b3b

Download Submit
C:\Windows\SysWOW64\Mfkkqmiq.exe

Filesize
72KB

MD5
4c6844aae5945660122c24748db690ab

SHA1
464d5c2db188e0d20316fd3eb242f2d9d26b9e1c

SHA256
dc910d6fb68c2b8bdd52bf88e6e20852b70106763497bb4f1db32f9b0381b238

SHA512
37dba462e59d5c79c1534bfaa6da0e7c2e99a3327655a0f4d15ad0732fafe2c46947a55ec2d74efbb19c1ac3cde108286abd831663e600389500fb879e8ffaed

Download Submit
C:\Windows\SysWOW64\Mjidgkog.exe

Filesize
72KB

MD5
8e2294b74006165cf2d166d843fdbcd5

SHA1
5d7de36af24f6a8f46cc4b1e0488234f0aa58dba

SHA256
e5eff629b265ce0603097fc722370984a3eee52025eca278bc6faaffec359805

SHA512
9015df1a2f687730a97f43690073f7ae8aa5aeb0dd95a646079610d6c92ae455f2b703dc3d9b69497428b8c6c85b67634357100bb3dac02f35163753c96f5b4d

Download Submit
C:\Windows\SysWOW64\Modpib32.exe

Filesize
72KB

MD5
bcf5c2cecff0b16a7d3f38cde70a5cad

SHA1
d915a298647bfabc804cca7a2c0a730e0add236c

SHA256
27d7b4376deb323614377f5753ad3d58b1847fd834c8a6bc528ba408b9275082

SHA512
2f7f6172d45bf59590c548d3eea39bd2b333b774b4cc3d8c64e75ca30b057f1876c16785f2131f89b3939dd9537cef99f468cfe1d4aed5e7073e9cc7503b53aa

Download Submit
C:\Windows\SysWOW64\Mofmobmo.exe

Filesize
72KB

MD5
adf6ba2097d0983e8d58741760a28567

SHA1
5fe2d4ffb7f155026cf559f26ed976cfb5fb5d48

SHA256
1322ebd68a8800cafecb5ad85deb0b07aa176bde94295e5c4aa5fff9c61f168e

SHA512
23e5697404c206a9ea10440b2e9aa26b53c3bbdab7370ee6ac3b66aadb501461041fda31d6876f0f4e767f9e0d2af93ab5bcfe8649e00babfc88234c62c112ff

Download Submit
C:\Windows\SysWOW64\Omfekbdh.exe

Filesize
72KB

MD5
402bd551ff5fd443eb6e79bbe39bac40

SHA1
2a486e20b16a494f85481155fd4788437e05d375

SHA256
acac9af7f57c3685da9892b84475ab89c8392a635b0a1abef06d196b3f3e735e

SHA512
5f4a928152b5dd4e791b69f86ae7dbedb54b89ffa82c6e062a2631253e7b8444cb192a5ff04e11dd19fdd7b1031c3456f3b524d8751c55cae2f234570a778756

Download Submit
memory/212-421-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/624-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/624-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/748-428-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/880-439-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/880-366-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1004-373-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1112-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1112-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1120-427-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1120-359-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1176-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1176-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1344-387-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1560-400-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1708-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1708-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1748-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1748-93-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1916-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1960-372-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1960-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1976-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1976-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2008-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2008-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2080-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2080-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2084-345-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2084-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2476-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2476-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2544-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2544-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2560-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2560-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2612-94-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2800-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2800-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2944-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2944-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2960-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2960-420-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2984-337-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2984-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3044-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3044-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3084-227-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3084-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3116-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3204-386-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3204-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3376-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3376-393-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3424-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3424-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3480-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3480-236-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3504-414-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3532-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3532-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3540-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3540-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3632-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3632-344-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3668-237-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3692-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3692-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3724-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3724-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3760-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3760-204-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3900-267-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3900-178-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3928-365-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3928-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3952-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3952-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4064-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4064-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4200-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4200-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4212-380-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4220-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4228-192-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4236-379-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4236-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4272-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4272-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4600-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4600-191-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4836-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4836-351-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4900-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads