5515ed684fa5023d4b62970ac0d7520449f2dab3a668033ea5ede4a09b3bd10c

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

336627ac280085ef51919f450d8ac030N.exe
Size

93KB
MD5

336627ac280085ef51919f450d8ac030
SHA1

f3bacbf7b44fb55045f365acb592cd4f709363f0
SHA256

5515ed684fa5023d4b62970ac0d7520449f2dab3a668033ea5ede4a09b3bd10c
SHA512

d4f291851620d8061e6a72c5731042af5d0e62a967f6d31cb72841472e2f9df8747d60f5573b8defe340e9efeb5071180809d685b5a13f75cba46370a1f178a8
SSDEEP

1536:zFdsQ2AwYz6znbjIEZ+4X0pS5aNyT4sRQ7RkRLJzeLD9N0iQGRNQR8RyV+32rR:hdsQerIpy0pkHe7SJdEN0s4WE+3K

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpiqfima.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcfidb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjlcjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jifecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laiipofp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhcali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncmhko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omdieb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpqggh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpqggh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mokfja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Likhem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooibkpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipkdek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kekbjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pimfpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfccogfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pblajhje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iacngdgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhckcgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oihmedma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihkjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhnojl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgkan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laiipofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfnhfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhnojl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhanngbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likhem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpclce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iijfhbhl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilibdmgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kiphjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcjjhdjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pafkgphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iojkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhcali32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njbgmjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmaciefp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblmgf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeocna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhqefjpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inebjihf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kofdhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhqefjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jeocna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lohqnd32.exe

Executes dropped EXE 64 IoCs

pid	Process
4152	Ihkjno32.exe
3628	Inebjihf.exe
3368	Iacngdgj.exe
3720	Iijfhbhl.exe
3840	Ilibdmgp.exe
3240	Iojkeh32.exe
4508	Iiopca32.exe
1120	Iolhkh32.exe
4308	Ihdldn32.exe
5008	Ipkdek32.exe
1304	Ibjqaf32.exe
4532	Jhgiim32.exe
2140	Jlbejloe.exe
2764	Jblmgf32.exe
2884	Jifecp32.exe
1960	Jlgoek32.exe
3884	Jeocna32.exe
820	Jhnojl32.exe
4064	Jbccge32.exe
3376	Jbepme32.exe
332	Kiphjo32.exe
3104	Kpiqfima.exe
2980	Kolabf32.exe
1708	Kcjjhdjb.exe
2184	Kidben32.exe
1808	Kcmfnd32.exe
1216	Kekbjo32.exe
4464	Kpqggh32.exe
4636	Kcoccc32.exe
2984	Kofdhd32.exe
5004	Likhem32.exe
1136	Lohqnd32.exe
4836	Lebijnak.exe
1712	Lhqefjpo.exe
3316	Lcfidb32.exe
3384	Laiipofp.exe
1720	Lhcali32.exe
3876	Lchfib32.exe
2556	Ljbnfleo.exe
2236	Lplfcf32.exe
1464	Lckboblp.exe
224	Lfiokmkc.exe
640	Loacdc32.exe
1612	Mfkkqmiq.exe
1044	Mpapnfhg.exe
4164	Mfnhfm32.exe
3228	Mpclce32.exe
2800	Mhoahh32.exe
4668	Mcdeeq32.exe
5076	Mhanngbl.exe
1896	Mokfja32.exe
4848	Mjpjgj32.exe
3584	Mhckcgpj.exe
3504	Njbgmjgl.exe
4004	Nmaciefp.exe
1512	Nfihbk32.exe
2144	Nqoloc32.exe
3608	Ncmhko32.exe
980	Njgqhicg.exe
1944	Nbbeml32.exe
4228	Nqcejcha.exe
1880	Nfqnbjfi.exe
8	Ooibkpmi.exe
3760	Ojnfihmo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iiopca32.exe	Iojkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Iiopca32.exe	Iojkeh32.exe
File created	C:\Windows\SysWOW64\Iolhkh32.exe	Iiopca32.exe
File opened for modification	C:\Windows\SysWOW64\Lplfcf32.exe	Ljbnfleo.exe
File created	C:\Windows\SysWOW64\Kpqgeihg.dll	Pimfpc32.exe
File created	C:\Windows\SysWOW64\Kcoccc32.exe	Kpqggh32.exe
File created	C:\Windows\SysWOW64\Kcjjhdjb.exe	Kakmna32.exe
File opened for modification	C:\Windows\SysWOW64\Pbjddh32.exe	Paihlpfi.exe
File opened for modification	C:\Windows\SysWOW64\Laiipofp.exe	Lcfidb32.exe
File opened for modification	C:\Windows\SysWOW64\Mhanngbl.exe	Mcdeeq32.exe
File created	C:\Windows\SysWOW64\Jlmmnd32.dll	Lfiokmkc.exe
File opened for modification	C:\Windows\SysWOW64\Njbgmjgl.exe	Mhckcgpj.exe
File opened for modification	C:\Windows\SysWOW64\Jeocna32.exe	Jlgoek32.exe
File created	C:\Windows\SysWOW64\Akmcfjdp.dll	Nfihbk32.exe
File created	C:\Windows\SysWOW64\Fllhjc32.dll	Ocnabm32.exe
File opened for modification	C:\Windows\SysWOW64\Kcjjhdjb.exe	Kakmna32.exe
File created	C:\Windows\SysWOW64\Ocgkan32.exe	Ojnfihmo.exe
File created	C:\Windows\SysWOW64\Ahhjomjk.dll	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Cmgilf32.dll	Mokfja32.exe
File created	C:\Windows\SysWOW64\Fanmld32.dll	Nqoloc32.exe
File created	C:\Windows\SysWOW64\Phgibp32.dll	Ojnfihmo.exe
File created	C:\Windows\SysWOW64\Kpqggh32.exe	Kekbjo32.exe
File created	C:\Windows\SysWOW64\Nnkoiaif.dll	Ooibkpmi.exe
File created	C:\Windows\SysWOW64\Eapjpi32.dll	Paihlpfi.exe
File opened for modification	C:\Windows\SysWOW64\Lcfidb32.exe	Lhqefjpo.exe
File created	C:\Windows\SysWOW64\Ipamlopb.dll	Lhcali32.exe
File opened for modification	C:\Windows\SysWOW64\Mpclce32.exe	Mfnhfm32.exe
File created	C:\Windows\SysWOW64\Nmaciefp.exe	Njbgmjgl.exe
File opened for modification	C:\Windows\SysWOW64\Njgqhicg.exe	Ncmhko32.exe
File created	C:\Windows\SysWOW64\Ihdldn32.exe	Iolhkh32.exe
File created	C:\Windows\SysWOW64\Kcmfnd32.exe	Kidben32.exe
File created	C:\Windows\SysWOW64\Ncjakdno.dll	Kcoccc32.exe
File opened for modification	C:\Windows\SysWOW64\Mhckcgpj.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Nfihbk32.exe	Nmaciefp.exe
File opened for modification	C:\Windows\SysWOW64\Iacngdgj.exe	Inebjihf.exe
File opened for modification	C:\Windows\SysWOW64\Ipkdek32.exe	Ihdldn32.exe
File created	C:\Windows\SysWOW64\Jlbejloe.exe	Jhgiim32.exe
File created	C:\Windows\SysWOW64\Mnknop32.dll	Jlgoek32.exe
File created	C:\Windows\SysWOW64\Emlmcm32.dll	Lcfidb32.exe
File created	C:\Windows\SysWOW64\Lchfib32.exe	Lhcali32.exe
File created	C:\Windows\SysWOW64\Lfiokmkc.exe	Lckboblp.exe
File created	C:\Windows\SysWOW64\Jhnojl32.exe	Jeocna32.exe
File created	C:\Windows\SysWOW64\Pjlcjf32.exe	Pimfpc32.exe
File opened for modification	C:\Windows\SysWOW64\Pfccogfc.exe	Pafkgphl.exe
File opened for modification	C:\Windows\SysWOW64\Inebjihf.exe	Ihkjno32.exe
File opened for modification	C:\Windows\SysWOW64\Lhcali32.exe	Laiipofp.exe
File created	C:\Windows\SysWOW64\Fdflknog.dll	Mfkkqmiq.exe
File opened for modification	C:\Windows\SysWOW64\Nfqnbjfi.exe	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Gggikgqe.dll	Nfqnbjfi.exe
File opened for modification	C:\Windows\SysWOW64\Ocnabm32.exe	Omdieb32.exe
File created	C:\Windows\SysWOW64\Abbqppqg.dll	Jbepme32.exe
File opened for modification	C:\Windows\SysWOW64\Mokfja32.exe	Mhanngbl.exe
File created	C:\Windows\SysWOW64\Alapqh32.dll	Mhckcgpj.exe
File opened for modification	C:\Windows\SysWOW64\Nbbeml32.exe	Njgqhicg.exe
File opened for modification	C:\Windows\SysWOW64\Ooibkpmi.exe	Nfqnbjfi.exe
File created	C:\Windows\SysWOW64\Kidben32.exe	Kcjjhdjb.exe
File created	C:\Windows\SysWOW64\Ichelm32.dll	Kpqggh32.exe
File opened for modification	C:\Windows\SysWOW64\Ljbnfleo.exe	Lchfib32.exe
File created	C:\Windows\SysWOW64\Ceohefin.dll	Mcdeeq32.exe
File opened for modification	C:\Windows\SysWOW64\Nqcejcha.exe	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Iacngdgj.exe	Inebjihf.exe
File created	C:\Windows\SysWOW64\Ffdihjbp.dll	Inebjihf.exe
File created	C:\Windows\SysWOW64\Lplfcf32.exe	Ljbnfleo.exe
File created	C:\Windows\SysWOW64\Omdieb32.exe	Oihmedma.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5744	5656	WerFault.exe	177

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekbjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbeml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iolhkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kakmna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omdieb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnabm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojnfihmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocihgnam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihkjno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbccge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcoccc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebijnak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lchfib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpapnfhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oihmedma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paihlpfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pblajhje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inebjihf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhnojl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfnhfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmaciefp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcjjhdjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfqnbjfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhmjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfkkqmiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjfdfbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	336627ac280085ef51919f450d8ac030N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilibdmgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblmgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbepme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laiipofp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhqefjpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpclce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhckcgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmhko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqklkbbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iacngdgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iijfhbhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpqggh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lohqnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqcejcha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loacdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbjddh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iiopca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihdldn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhgiim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kolabf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcmfnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcfidb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjaleemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pififb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibjqaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlbejloe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpiqfima.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljbnfleo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfccogfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcdeeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojhiogdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnenlka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeocna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhcali32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfiokmkc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhckcgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmdohhp.dll"	Kcmfnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlmcm32.dll"	Lcfidb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pblajhje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lckboblp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlmnj32.dll"	Ihkjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppadalgj.dll"	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipamlopb.dll"	Lhcali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanmld32.dll"	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncmhko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lfiokmkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcomn32.dll"	Loacdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjlcjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pbcncibp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcmfnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	336627ac280085ef51919f450d8ac030N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iacngdgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jhnojl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbepme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kcjjhdjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlbgmif.dll"	Pbjddh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jlgoek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kakmna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gflonn32.dll"	Oihmedma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkffgpdd.dll"	Kiphjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfomc32.dll"	Kpiqfima.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laiipofp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmcfjdp.dll"	Nfihbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnkibcle.dll"	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chjjqebm.dll"	Pafkgphl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	336627ac280085ef51919f450d8ac030N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ilibdmgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmhel32.dll"	Iolhkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jeocna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnpn32.dll"	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjali32.dll"	Ibjqaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhcali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpclce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpagaf32.dll"	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfgnho32.dll"	Pblajhje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jifecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kofdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lhcali32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amcpgoem.dll"	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqfgdpo.dll"	Mpclce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgiiak32.dll"	Iiopca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphdhn32.dll"	Jhnojl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 4152	1168	336627ac280085ef51919f450d8ac030N.exe	88
PID 1168 wrote to memory of 4152	1168	336627ac280085ef51919f450d8ac030N.exe	88
PID 1168 wrote to memory of 4152	1168	336627ac280085ef51919f450d8ac030N.exe	88
PID 4152 wrote to memory of 3628	4152	Ihkjno32.exe	89
PID 4152 wrote to memory of 3628	4152	Ihkjno32.exe	89
PID 4152 wrote to memory of 3628	4152	Ihkjno32.exe	89
PID 3628 wrote to memory of 3368	3628	Inebjihf.exe	90
PID 3628 wrote to memory of 3368	3628	Inebjihf.exe	90
PID 3628 wrote to memory of 3368	3628	Inebjihf.exe	90
PID 3368 wrote to memory of 3720	3368	Iacngdgj.exe	91
PID 3368 wrote to memory of 3720	3368	Iacngdgj.exe	91
PID 3368 wrote to memory of 3720	3368	Iacngdgj.exe	91
PID 3720 wrote to memory of 3840	3720	Iijfhbhl.exe	93
PID 3720 wrote to memory of 3840	3720	Iijfhbhl.exe	93
PID 3720 wrote to memory of 3840	3720	Iijfhbhl.exe	93
PID 3840 wrote to memory of 3240	3840	Ilibdmgp.exe	94
PID 3840 wrote to memory of 3240	3840	Ilibdmgp.exe	94
PID 3840 wrote to memory of 3240	3840	Ilibdmgp.exe	94
PID 3240 wrote to memory of 4508	3240	Iojkeh32.exe	95
PID 3240 wrote to memory of 4508	3240	Iojkeh32.exe	95
PID 3240 wrote to memory of 4508	3240	Iojkeh32.exe	95
PID 4508 wrote to memory of 1120	4508	Iiopca32.exe	97
PID 4508 wrote to memory of 1120	4508	Iiopca32.exe	97
PID 4508 wrote to memory of 1120	4508	Iiopca32.exe	97
PID 1120 wrote to memory of 4308	1120	Iolhkh32.exe	98
PID 1120 wrote to memory of 4308	1120	Iolhkh32.exe	98
PID 1120 wrote to memory of 4308	1120	Iolhkh32.exe	98
PID 4308 wrote to memory of 5008	4308	Ihdldn32.exe	99
PID 4308 wrote to memory of 5008	4308	Ihdldn32.exe	99
PID 4308 wrote to memory of 5008	4308	Ihdldn32.exe	99
PID 5008 wrote to memory of 1304	5008	Ipkdek32.exe	100
PID 5008 wrote to memory of 1304	5008	Ipkdek32.exe	100
PID 5008 wrote to memory of 1304	5008	Ipkdek32.exe	100
PID 1304 wrote to memory of 4532	1304	Ibjqaf32.exe	101
PID 1304 wrote to memory of 4532	1304	Ibjqaf32.exe	101
PID 1304 wrote to memory of 4532	1304	Ibjqaf32.exe	101
PID 4532 wrote to memory of 2140	4532	Jhgiim32.exe	103
PID 4532 wrote to memory of 2140	4532	Jhgiim32.exe	103
PID 4532 wrote to memory of 2140	4532	Jhgiim32.exe	103
PID 2140 wrote to memory of 2764	2140	Jlbejloe.exe	104
PID 2140 wrote to memory of 2764	2140	Jlbejloe.exe	104
PID 2140 wrote to memory of 2764	2140	Jlbejloe.exe	104
PID 2764 wrote to memory of 2884	2764	Jblmgf32.exe	105
PID 2764 wrote to memory of 2884	2764	Jblmgf32.exe	105
PID 2764 wrote to memory of 2884	2764	Jblmgf32.exe	105
PID 2884 wrote to memory of 1960	2884	Jifecp32.exe	106
PID 2884 wrote to memory of 1960	2884	Jifecp32.exe	106
PID 2884 wrote to memory of 1960	2884	Jifecp32.exe	106
PID 1960 wrote to memory of 3884	1960	Jlgoek32.exe	107
PID 1960 wrote to memory of 3884	1960	Jlgoek32.exe	107
PID 1960 wrote to memory of 3884	1960	Jlgoek32.exe	107
PID 3884 wrote to memory of 820	3884	Jeocna32.exe	108
PID 3884 wrote to memory of 820	3884	Jeocna32.exe	108
PID 3884 wrote to memory of 820	3884	Jeocna32.exe	108
PID 820 wrote to memory of 4064	820	Jhnojl32.exe	109
PID 820 wrote to memory of 4064	820	Jhnojl32.exe	109
PID 820 wrote to memory of 4064	820	Jhnojl32.exe	109
PID 4064 wrote to memory of 3376	4064	Jbccge32.exe	110
PID 4064 wrote to memory of 3376	4064	Jbccge32.exe	110
PID 4064 wrote to memory of 3376	4064	Jbccge32.exe	110
PID 3376 wrote to memory of 332	3376	Jbepme32.exe	111
PID 3376 wrote to memory of 332	3376	Jbepme32.exe	111
PID 3376 wrote to memory of 332	3376	Jbepme32.exe	111
PID 332 wrote to memory of 3104	332	Kiphjo32.exe	112

C:\Users\Admin\AppData\Local\Temp\336627ac280085ef51919f450d8ac030N.exe
"C:\Users\Admin\AppData\Local\Temp\336627ac280085ef51919f450d8ac030N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\SysWOW64\Ihkjno32.exe
  C:\Windows\system32\Ihkjno32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Windows\SysWOW64\Inebjihf.exe
    C:\Windows\system32\Inebjihf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Windows\SysWOW64\Iacngdgj.exe
      C:\Windows\system32\Iacngdgj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3368
    - - C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3720
      - C:\Windows\SysWOW64\Ilibdmgp.exe
        
        C:\Windows\system32\Ilibdmgp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Iiopca32.exe
        
        C:\Windows\system32\Iiopca32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Iolhkh32.exe
        
        C:\Windows\system32\Iolhkh32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Jhgiim32.exe
        
        C:\Windows\system32\Jhgiim32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Lohqnd32.exe
        
        C:\Windows\system32\Lohqnd32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3536
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        75⤵
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5656 -s 412
        88⤵
        Program crash
        
        PID:5744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4416,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=4344 /prefetch:8
1⤵
PID:5460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5656 -ip 5656
1⤵
PID:5720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deocpk32.dll

Filesize
7KB

MD5
c5b81c3ce1543ed6bbe66cdb6e807ee3

SHA1
94b8925e23b27fb9330ff8518b116ba4eb5a9513

SHA256
8c2c298fa5282476a022e5ebfb01fa75d510edc008d709f051d356385ee1e6ed

SHA512
1b193ab47b37a51aa16fe6c6e064348a9f8eb10ecbe55e3c80248e99c3794ad5bf09f2c6702c580e03e88a8f260feeffb443cb24d390b5b31a6e8b8a287fdbc4

Download Submit
C:\Windows\SysWOW64\Iacngdgj.exe

Filesize
93KB

MD5
41eb6942b568947416f49d3f5569f37c

SHA1
49c10694bf9185ecb7694646168d5eb2e5a250fb

SHA256
c15106d401d7e7ba0f7c892938fca59fdcb886be9eab1d0088baaea1767dfbb3

SHA512
32d7a4858c8959e264cae27eb1740d88b0e9f580689f63710760c9dc89ab0be2d662cd4b530fe1921feef99e3d96caf541d7c611e2375016c532b198d20506a0

Download Submit
C:\Windows\SysWOW64\Ibjqaf32.exe

Filesize
93KB

MD5
f982f03af67bbb033cf364c70fd21ad1

SHA1
1a940fe1017cba2ff7a88778335a0da02f67ff6e

SHA256
46dd5ae3a624f75e9f00693ea95dfadba10142648684502e830f6770ad3a0204

SHA512
cde103090156844e73e375cc9d25728501226eaef4679169bfd2bbc8e04143ec72fd58cace4b1a74bacd6f1d9a7db414f4219c21513a5ab125f4c33a5d61153c

Download Submit
C:\Windows\SysWOW64\Ihdldn32.exe

Filesize
93KB

MD5
c362c243b3ce7086b6662c7f89db0fe1

SHA1
cfd270fce0f267626b1a21f5d911d3facd31de36

SHA256
f357db82baad6a56c89527ddb92559205329f2a4bbfe586f0870159b92e6a403

SHA512
6479c08e551b175a542b4e44d89da6ede4972158652a5172928929d860b90a4c3011818bb3fb0280b32087a6c6df1a31a77f24e7942a46c8f9d5bdf4553485f0

Download Submit
C:\Windows\SysWOW64\Ihkjno32.exe

Filesize
93KB

MD5
60bf1eb0c3f0ea15dc7750a8f8fc92bc

SHA1
35e521602a24158bee0c64feb7939d6d23074855

SHA256
901784c870915e7be8295f576aa8d5a3aaa39b90f9ea1702e333d19459962b7a

SHA512
956f14777371dc5b6fb41e2e69bc31ee5d4d0fc9dcca032e580b2cf3a3fed9ded3a97e912f990000786d40b8185df4af3eec01695b69b06cadbd8660965d2ab1

Download Submit
C:\Windows\SysWOW64\Iijfhbhl.exe

Filesize
93KB

MD5
ddb5913b4ab34219917df5fa084496c7

SHA1
13f9d67fe1493b23cc0a612cf29c219a788ff2f7

SHA256
c5250bf4926846a30cbe4a46999a019547dcda1aa4184169f799fb8bad41995b

SHA512
454ed5865fae6ea0a96bb93514cee5aa6832f0f53cef035d8b3f4d95f2923b2fd462adfe934c95ff82a261aa17d60485376fe02409e43e3f9768cbd08d13daa6

Download Submit
C:\Windows\SysWOW64\Iiopca32.exe

Filesize
93KB

MD5
d0820abcc8319bda0509d8656ed84d24

SHA1
9e20520d4175152eed2807828a15472590475333

SHA256
52269c7e1713f896818cfc1cf013bbde2a11365128f8f8ecfce11b9221e14c23

SHA512
c02eaeb1ee37d6b2cdd04e30dab3ca4dbc8c6fc82a2b304bec6997c65f874a5661f15dc35f6df1f17b6b167cb51f31d30a3dc610be614a4be9710a11a8e11406

Download Submit
C:\Windows\SysWOW64\Ilibdmgp.exe

Filesize
93KB

MD5
2221b183482fddaec28d1d81e8bb65dd

SHA1
9dd1ec03ee787d4e79189a270e18a21cced79599

SHA256
3fe7ff49aa38bdb0a2d5ecc8c3349d452715da01d30de0a14ef54c3c4dbcd268

SHA512
2bedf50a3d23fc2822b9821198aaf75389b97b5891fc5d3fab07e4230767edb8592200d65d487cde6d99cd1a4f4d1295a2b01f3037f8323eff66abdc7894aed8

Download Submit
C:\Windows\SysWOW64\Inebjihf.exe

Filesize
93KB

MD5
a349b39fecf8be9daa8823165d9a9029

SHA1
70f11c465e03ac7637ac0392dbd355a324a5f200

SHA256
b53945d33a396dbe29ceca59c68af2acfbd937107a7283fd849030522cc40714

SHA512
664d44f5772b7a88a4d9889ba94b5420a7420eb4c9c3aae7959df646e886876d7fdb41b63f99fa85dc0e71004d725c099f2771e108955c679f27c03654db9a9b

Download Submit
C:\Windows\SysWOW64\Iojkeh32.exe

Filesize
93KB

MD5
228622ed01d7e4be701907598f872a5a

SHA1
b00474ac0e43570aa37e3a98318bd0ed42f64c1c

SHA256
773a288dcd0b00e3167876520e31243aeb2f598cf3bccda03d3485185a2d900d

SHA512
ff7395b0c222756048bb8657c8efb1fd3e5282ebca02ec43239e40ae88a5b6aff2224c70e55002863e3d46172cb6f1d6f888bf17ae951b03e05b92bff09d2cb8

Download Submit
C:\Windows\SysWOW64\Iolhkh32.exe

Filesize
93KB

MD5
77ee16329b832b2160907248b677c0ba

SHA1
3e9fab6854923a88b268adb2b4ec9901ee3caa96

SHA256
0a2c0aab198b18dcc98be149d033bcc9984ec3beb14e0faaa57e8f09050ac8e7

SHA512
f5ca4d8970f37ec92ba4c52aad0ab4a517d423e1181d1e88bf4a6c87f30751823180451b43f52b02ffa8768105cf439364fc3d81922e4a789b513a555d9209c6

Download Submit
C:\Windows\SysWOW64\Ipkdek32.exe

Filesize
93KB

MD5
5bbc30a716d2b173a0c088c01318bef1

SHA1
aa11cd19aff77bd540dde97025d80a8a391be0f5

SHA256
c36c26bab061157f07270d570d0953a9ac784b4fdb9f3c7905390d444a47d88a

SHA512
a17118283a50e35b7cb764fe8c36a4954dc0d6c27bc5269ea8856cf6d3f9ae02bdf3d682c9607da10b77302c59575f996563c6760dbc05fe202b591ba118ad44

Download Submit
C:\Windows\SysWOW64\Jbccge32.exe

Filesize
93KB

MD5
9b923980a0164f5aedbaf4960a163469

SHA1
961ac069e62e9b516c816c336d3e55521b8a36be

SHA256
2a16d27eac1e193766e7b7d8163eaabf7b26eb6a0d0fa60aa0160b17cc23e345

SHA512
6cd1cfefb51dc29ddd04f7269e2b4f7ba822126cbd79ca9dd0eb8530ac7e6768057c9490d4fca6932b8a4224fa92847c5dc543e763cceaa5a32744bcd5f500c8

Download Submit
C:\Windows\SysWOW64\Jbepme32.exe

Filesize
93KB

MD5
e125302a54ca5785f7c3fd3581e971a9

SHA1
108e514ee8c12d7ccc1ef4c71e6cd63e25f15f23

SHA256
d1ba80b1c494685ee0f8f78566dc7f5931eabbc35169a1985dc31ff322f604cd

SHA512
c328963d71e68f21679837fcf32e8720b6f194f611422f5626a54fd8df25019892c2a5e5218ccd281f164e11a9faccc186f45cc5957abda50eb216ec100886c6

Download Submit
C:\Windows\SysWOW64\Jblmgf32.exe

Filesize
93KB

MD5
3391fc5128bc2df736b82f9709b4ea85

SHA1
8c3abcf6e61e21d8a822787c5a7a9d7d130b8526

SHA256
652c4cdd5e7c6cf017432936eb550dccab12047274e6d6df16a0817747219169

SHA512
ace0fa4bc8fdea46694879859bdadb2d1ab9e5a3b3caeb1ed87f95ccba1aba81affe2f3dbf4590dff39f1dd683cf6e961f420da0614ca93766e0983eeee51071

Download Submit
C:\Windows\SysWOW64\Jeocna32.exe

Filesize
93KB

MD5
39699c130f7358220d40e13be77b6c52

SHA1
f6e5bc44ecfa00ea2acc5513058effd907430a6f

SHA256
ddf7837e54ce5aac13feed483cff3520936a7e4400b15b2bcfe738223591693c

SHA512
c16f941f0fe2f44d30f038cf58c604a0a57a45e269cd1256916ed8f9d006d25092d3050fd4f1db2ddb3bf95247077a5109a7210b14d3e0aa848d217f337f0d8b

Download Submit
C:\Windows\SysWOW64\Jhgiim32.exe

Filesize
93KB

MD5
c9553201a28590c8a2ad428f0b2f59b4

SHA1
6893d3126b66e9df8435861c3ac0d6f82f7fd1ef

SHA256
eddb2e0363c6ca02243a324b17c2a71d5197592912677c281dea939d2d448eb4

SHA512
0bb3bfe2a248c6d6ff015bcad5403baf7c03cedd35c333bdadaab82369aac53cedc060ef929035c77ec79a0b7aef14f0705cb977952d426b4626495f56cbccaa

Download Submit
C:\Windows\SysWOW64\Jhnojl32.exe

Filesize
93KB

MD5
3fa0579053600130052c2baa957a0422

SHA1
04f275bac20733632fafa5fd1cb8d8966a682b4b

SHA256
0e41b360b9bd44345ab2f8c04e042aa417c0d7869a74cb80bbfe1af7443e5600

SHA512
ff9bb2419722e82b77d44e698c9296f323dd98a120be1d8b366c59d03e1219cac0bd0a7e337149cb18ba8ff029e7fed06702e211f41d03f1d2a73f4db5f782f0

Download Submit
C:\Windows\SysWOW64\Jifecp32.exe

Filesize
93KB

MD5
f2c1d0c1663e29ac612a9d12f0992633

SHA1
ad6cd97ecdfa8bb65362de69a658e38567522f46

SHA256
791f279801caa5ec1a4572e0535f3ba6734a0cb83bacb8b18b6a34c88882f19a

SHA512
feba40be347574299d558f08748eba544ac9e59521c01f1a7fec7cebe0d699d5c1d91988a53b8a1ec05d6d3ab06bee86b415cd5f26d61fffc0b660a9896e6ca0

Download Submit
C:\Windows\SysWOW64\Jlbejloe.exe

Filesize
93KB

MD5
a98901feb343087483a2175b71b977b4

SHA1
8158b15a2e01e143aed6c35ee1ced5f342aadc21

SHA256
9c4828d0c05f7b7039da46626dda1f1d9312d86a9ee69120e5ad07ac9c1db8c8

SHA512
dfa84ee2bff4f731f7af7934bde8dac75a7da89e846efebc7f3d18c73b5514e844e231560b4ce1ff238a89f26bcf31501d1a89f8472949038b9089529df1071c

Download Submit
C:\Windows\SysWOW64\Jlgoek32.exe

Filesize
93KB

MD5
a431c4a9b4f8194a8e9bc13e4e656cf1

SHA1
d04faa4e433f5bc2a2e53cd43d20340fc0f896ac

SHA256
96b11a228941f399bb1a3c9cc46909197971bd3b1518e48a2ac07a7ebb5508c4

SHA512
b3fd792518bca9d2b00d0fe2e6c6cbe70d48080bbda072e5e3111e80bcfe29892231d5cc13fd08352a99a39a92c75b758b8e08e6c1b29d25eb0d99b27f358b65

Download Submit
C:\Windows\SysWOW64\Kcjjhdjb.exe

Filesize
93KB

MD5
6de6a9fc692f99087791a3f4fcd02190

SHA1
5788ceb103169c12d9ab4ce6e561410561910dab

SHA256
808f8271b313c1e477ceb3f2cf7ca1d8aa3cc4f68a7f70c96a17e13439f99f6e

SHA512
fd79bc0ed417def5fcc41df1e621eefa6d3446587d73bdde9f233004e09c3e562dd3d97591523d83c7cd283e6a8e07ea6360bf0d64ee59fd6ce7c7abc85b137f

Download Submit
C:\Windows\SysWOW64\Kcmfnd32.exe

Filesize
93KB

MD5
2c60902b079e3b7fc9eb7aaf55bc58ad

SHA1
84a3768529716867598f75d0fdf97c17fb7387eb

SHA256
b7498b37df4d02bf106e81526201edb93409fa0a556e22f3ccaecde50314eb20

SHA512
d386263915f2cbc921202db9967155f7a800df6d827d0ca7964d423e36a251741467e2f196ed6fd3bac9f75d8f3192b2ac331e880f2a5294ea31aa79c2c7b339

Download Submit
C:\Windows\SysWOW64\Kcoccc32.exe

Filesize
93KB

MD5
b02074e38056401c457ce58a96be3757

SHA1
ce630eb6488cbe42e25bc3376b4688cfdff25692

SHA256
ca71d620c62df5cbcfcee83a6f36c87347c7e529a05c9ce91e1e2e86a7e85e1c

SHA512
09f3ead65db8ff4b366a9a4ec468877c07c6112bdbc514e37a753faea037b190c44b98985b76d865d97f171bd795066a009f7c59873ab8f70832171687bcc8e0

Download Submit
C:\Windows\SysWOW64\Kekbjo32.exe

Filesize
93KB

MD5
796ad6d28a4014fc939ebfab289ca6dd

SHA1
6c70acaf855e3dc4d2e61b0ad6ead048790950bf

SHA256
ada1fd5ec7328b9b9d721d8157581233f8ade1802a9aedd28dec93799af1c6fb

SHA512
64e8c950023241e8e9b8ab976615e50a5a9faaec7f668ff0cf03581dbb4a86aca26592e814c21344e84aee0351f0732a541753c0b0f7508fdd343cefdc30288e

Download Submit
C:\Windows\SysWOW64\Kidben32.exe

Filesize
93KB

MD5
8e5a633ba8c8e34fbc864039b7f920fb

SHA1
0177e4e98c939ab72b2002f7243ad6cac6a6f646

SHA256
b8ad00ed87df294ea2b3fa7ac447963f052aec2af551d050dfd80b2900ff8517

SHA512
6037567153df69d184e2948c1da716bc6bb55452597c777a12d585fc03e167d0ab0146689ba85085eee49b0b032b77dee8104049e7f686f9f0465cbde665d6c6

Download Submit
C:\Windows\SysWOW64\Kiphjo32.exe

Filesize
93KB

MD5
857af55c764e22096a21601532c9b02d

SHA1
1db483cb25d9694a0b828925645eef3f1e94e503

SHA256
958b75a17771044ea087bc6d4d737741e084b6eb7fe5803a3a94c25ac20b10f9

SHA512
653373f2fc8ec3c53f1ee6163ed31cf92891e4066482ad553b4331f0058ac0ffb983be41bd9d110840f5268a74d6aec0e31918dac811f94fa53729cfc8df9359

Download Submit
C:\Windows\SysWOW64\Kofdhd32.exe

Filesize
93KB

MD5
f6f3181de8b2fc16213fd70973d76113

SHA1
4eb8c7cb7f68474a632f3c77434d25354b1d5dc6

SHA256
3edd981b07f5609b3541fab49560aad905d9861366b589dafeffb575d8b3ac84

SHA512
712ffdb251be08c8cee75e8de45c92fc283d4e74e03f7460692aab6e6da30b0edbc4b9a71adbb9de8823c1d487cc98346b5bef6048a5bee19e86abc0d72d3d3a

Download Submit
C:\Windows\SysWOW64\Kolabf32.exe

Filesize
93KB

MD5
8952af896a69f9d9bc436340f46f79a4

SHA1
e5211935af3b7b7499265c05cd2731ba5f393242

SHA256
8fa80772e7794fb839fad64a14cbc70cbeb2da582f6370a75f5885787523229e

SHA512
a6ecc2458e782c32a4db5f2050b1b20e3f3513a1548e2f56f9e378f01e0d344d5d913ed6835cc88881d3ff7618463107c7f2342d3b0111b77bbc80365c634de3

Download Submit
C:\Windows\SysWOW64\Kpiqfima.exe

Filesize
93KB

MD5
ec3d1500a818786cba583069c388d3d6

SHA1
da630fbf4575c819dae590cf4bc3d62662f95319

SHA256
655a8045f9fde71e5279564edff2598fabb8be7d86c75a638287d9ab3c52fc2d

SHA512
2b301c1c65d94acb02f765b96c430fd8ead80836817e7b488cfbc545cab214a026310cda3281e99c3b873908d1f74e0c75bf7ad6a2e9654e8fbf902589f00d8a

Download Submit
C:\Windows\SysWOW64\Kpqggh32.exe

Filesize
93KB

MD5
9025db90df0de0739c426d845aa75a41

SHA1
a21d089402d57987bbfa51ab6b3cc56a6c72c64c

SHA256
b81d6fb26b51daac7a9e77b1fdd1ca96e3d09354209e0c2408e833e128f3c1a3

SHA512
4eb4560decc378646b4db0e00b88dc70497a79871e4ec6b17052b4d6fa3f5e6311694bac237dc7c3c9c6d81c514017132a095888d364d31fe53f49b3268ddcf7

Download Submit
C:\Windows\SysWOW64\Lchfib32.exe

Filesize
93KB

MD5
e037734b4e59f0c3315caef01a7df31d

SHA1
f1b0aadb1eeab18b52ea6a6209b19225ef7a6640

SHA256
dac9cea214130b6a87f6e1de425b5c2bdeeae9369f07e09f512b0bce680bf5f0

SHA512
e9dc5b5955700b68e623e88e57db70be3a743e3fded269c53b321ec9de40e21d3d9256c9222d0678649aa673bcb2fe87de0e69ee043899d3e12e888514029958

Download Submit
C:\Windows\SysWOW64\Lebijnak.exe

Filesize
93KB

MD5
37bccf8f48ee56001d7b4313467af479

SHA1
27f88b788299cd323c23d840fd37c9d9ed227867

SHA256
cc23f079d4647ef6cb67d1925be2e9ba9c13f49fe7ade0fab19bab919da2c461

SHA512
a0ba3c52a28736395e053da9e3eb668e2ae1109a4ccc720ced2ea5fc079f18fcef045483b34dff9e740b34249fa921268747ca0c30f6cb8adb319701fe7a602b

Download Submit
C:\Windows\SysWOW64\Likhem32.exe

Filesize
93KB

MD5
6478fd39a30091c2f3ed988f521e7820

SHA1
6c0d1635ce97fb95ab8b78188e7c881e0a4ed6da

SHA256
ed457e43f75e5517b2929436a8439314f9a6877331d1f4940bac1c16a4225675

SHA512
18bd90de560c0198fb77e97cf8e1d17a3fd198d66b19d5960c19c35c781ef300613594936485e51fdfd762641d1312d4d2f789e3ad236b9687d5d377b2f7d258

Download Submit
C:\Windows\SysWOW64\Loacdc32.exe

Filesize
93KB

MD5
d763aa14639ca6e5ec691e66439fd247

SHA1
90f6962a64f69f9fff5735266e65b6c48e3ac4f9

SHA256
171984839128940487a69d365bbf383fb36004c69b7c6c9a921f6720950b61b5

SHA512
32770645f257cc07fe936407f2a5e31cc7bff46a920214cbab56863b7288be39959c6a97466bf9f3da55b6fbadf11ed88a41d4a7dfc9c0f92eda7a90044f137e

Download Submit
C:\Windows\SysWOW64\Lohqnd32.exe

Filesize
93KB

MD5
53e0ad8e3d5b375ce5e5195098ca0789

SHA1
dba49b94b40717d7ce8b9e28192104e62de08018

SHA256
e3cbffcb89a744768c59aee50297e7f74adba6810361435b35a05f9fd15ebe84

SHA512
bcbcc30611addefdfe50665686dd6c248a81c0fb332a376493212edd78a41301e9b407637a788aa89ccf767e6e96e0860e9ae2e1eb6409f605d687b71c7ea1f0

Download Submit
C:\Windows\SysWOW64\Mhckcgpj.exe

Filesize
93KB

MD5
8471abd4c8906bbdb4a9823bbbbd5148

SHA1
0d6fefbd72c7f6ded0736430dcbe111182e4600d

SHA256
39c51580c481103e4a306ec2395321119ec4e6745bfb865f6eb59c9b8fff13dc

SHA512
5c127b9a102023f05c425515bad524007732c34444e7a711897ed7056c446f25f1250cfc54d58400b6405dd64ff39b66c33af4d042d236aef19c98285e683f0c

Download Submit
C:\Windows\SysWOW64\Nmaciefp.exe

Filesize
93KB

MD5
e5ae91db379952c39b2df312db167490

SHA1
e85ce8d87d8d1c24e97d0fc370ca96830eb2e758

SHA256
e867ba498657a9a2a25053a5669c863e8e7d2028cb585137486553d57ffa4192

SHA512
4b608aff3d3d9847de3fe582c28b68a9cbf6249fd64e8bbd721cd5e6ba80b69ed8a809c9a1fd955c0ce6629d98cb3a1623eaaf7f02cd6f700ed574527cbaf744

Download Submit
C:\Windows\SysWOW64\Pbjddh32.exe

Filesize
93KB

MD5
963f53565fc5811036b6014522f5b102

SHA1
024a3b45c413dbeda8bd7b025702e37c06e63e52

SHA256
a6062946a11603418e636fd6c4c141c2678da7506e9bba91f8db73b27a63b71e

SHA512
ebe50e476c13d1cb2af9b201b87269e5433a71fc72b03b5422e2cdec4f2a378d70b452f04a382906aa0910716fe60b4d6d096737af0568e6e8db880cfd20c3ac

Download Submit
memory/224-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/224-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/332-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/332-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/820-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1044-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1120-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1120-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1136-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1136-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1168-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1168-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1216-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1216-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1304-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1304-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1464-409-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1464-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1612-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1708-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1708-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1712-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1712-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-381-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1808-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1808-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1896-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2184-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2184-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3104-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3104-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3316-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3316-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3368-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3368-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3376-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3376-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3384-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3384-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3720-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3720-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3840-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3840-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3876-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3876-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3884-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3884-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4152-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4152-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4164-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4308-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4308-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4464-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4488-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4488-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4508-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4508-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4668-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4848-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads