a5dc135916bb3611791a5794b52a8cd923648f346a8f4d3d6736ec1358e8453a

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5dc135916bb3611791a5794b52a8cd923648f346a8f4d3d6736ec1358e8453aN.exe
Size

395KB
MD5

92e28fbff9cac7bf264382264d3357d0
SHA1

0c15b4bf1be5612cb81dbf6f2762660f2e567e9b
SHA256

a5dc135916bb3611791a5794b52a8cd923648f346a8f4d3d6736ec1358e8453a
SHA512

e6c783f7fa68f024ff4f7226a20cc31450f20001d52d58aef080d44a08ae9d48902d649767d7f2b3c03b10a7ecc342acf82cc5b2c5078aee1d3e934c007ec7ad
SSDEEP

6144:fx7ULbvkTiIYs4y70u4HXs4yr0u490u4Ds4yvW8lM:fxgfVs4O0dHc4i0d90dA4X

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemooo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampaho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjhkmbho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefiopki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljpaqmgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khlklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kapfiqoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjhkmbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmhhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecdbop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllhpkfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kifojnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfihbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afcmfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iojkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Likhem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qikbaaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeapcq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhbqbae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapgdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefiopki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nofefp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acccdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dalofi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kifojnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhldbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jocnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojnfihmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cancekeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeocna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdpnda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplmliko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpepbgbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qikbaaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhffg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a5dc135916bb3611791a5794b52a8cd923648f346a8f4d3d6736ec1358e8453aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qppaclio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aagdnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddfbgelh.exe

Executes dropped EXE 64 IoCs

pid	Process
640	Ihpcinld.exe
1996	Iojkeh32.exe
3840	Iialhaad.exe
588	Jldbpl32.exe
5052	Jocnlg32.exe
1528	Jeocna32.exe
4532	Jbccge32.exe
1784	Jeapcq32.exe
4808	Jllhpkfk.exe
3936	Kefiopki.exe
1056	Kplmliko.exe
760	Kapfiqoj.exe
1244	Kifojnol.exe
1492	Kemooo32.exe
3196	Khlklj32.exe
4792	Likhem32.exe
3632	Lpepbgbd.exe
664	Ljpaqmgb.exe
4580	Ljbnfleo.exe
5024	Lcmodajm.exe
2924	Mhldbh32.exe
2040	Mjlalkmd.exe
2568	Mcdeeq32.exe
3432	Mhckcgpj.exe
1264	Nfihbk32.exe
4184	Noblkqca.exe
4264	Nbbeml32.exe
1916	Nbebbk32.exe
3396	Ojnfihmo.exe
4176	Oblhcj32.exe
2156	Ofjqihnn.exe
4120	Obqanjdb.exe
3132	Pbcncibp.exe
4100	Pmhbqbae.exe
4372	Piocecgj.exe
316	Pcegclgp.exe
4000	Pfccogfc.exe
1904	Pcgdhkem.exe
2348	Pakdbp32.exe
1664	Ppnenlka.exe
1920	Qppaclio.exe
3476	Qiiflaoo.exe
2224	Qapnmopa.exe
5096	Qikbaaml.exe
3308	Aabkbono.exe
488	Abcgjg32.exe
368	Acccdj32.exe
4244	Abfdpfaj.exe
3868	Aagdnn32.exe
5076	Afcmfe32.exe
976	Amnebo32.exe
1456	Ampaho32.exe
4072	Bmbnnn32.exe
4648	Bmdkcnie.exe
4928	Bapgdm32.exe
4364	Bjhkmbho.exe
4272	Bbdpad32.exe
3176	Binhnomg.exe
4092	Bagmdllg.exe
3676	Cajjjk32.exe
4844	Cdhffg32.exe
2360	Ckbncapd.exe
660	Ccmcgcmp.exe
1912	Cmbgdl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Amnebo32.exe	Afcmfe32.exe
File opened for modification	C:\Windows\SysWOW64\Ckbncapd.exe	Cdhffg32.exe
File created	C:\Windows\SysWOW64\Ghnllm32.dll	Nfihbk32.exe
File created	C:\Windows\SysWOW64\Hlkbkddd.dll	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Anijgd32.dll	Ekgqennl.exe
File opened for modification	C:\Windows\SysWOW64\Noblkqca.exe	Nfihbk32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhffg32.exe	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Gfchag32.dll	Binhnomg.exe
File opened for modification	C:\Windows\SysWOW64\Enhifi32.exe	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Lifcnk32.dll	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Cpiijfll.dll	a5dc135916bb3611791a5794b52a8cd923648f346a8f4d3d6736ec1358e8453aN.exe
File created	C:\Windows\SysWOW64\Pbcncibp.exe	Obqanjdb.exe
File created	C:\Windows\SysWOW64\Agecdgmk.dll	Dnljkk32.exe
File opened for modification	C:\Windows\SysWOW64\Fdpnda32.exe	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Pencqe32.dll	Pfccogfc.exe
File created	C:\Windows\SysWOW64\Bapgdm32.exe	Bmdkcnie.exe
File created	C:\Windows\SysWOW64\Aadafn32.dll	Nofefp32.exe
File created	C:\Windows\SysWOW64\Obqanjdb.exe	Ofjqihnn.exe
File opened for modification	C:\Windows\SysWOW64\Mhckcgpj.exe	Mcdeeq32.exe
File opened for modification	C:\Windows\SysWOW64\Acccdj32.exe	Abcgjg32.exe
File created	C:\Windows\SysWOW64\Nbebbk32.exe	Nofefp32.exe
File created	C:\Windows\SysWOW64\Cajjjk32.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Cancekeo.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Ekgqennl.exe	Ddmhhd32.exe
File created	C:\Windows\SysWOW64\Ohgohiia.dll	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Gkcigjel.exe	Gqnejaff.exe
File opened for modification	C:\Windows\SysWOW64\Jocnlg32.exe	Jldbpl32.exe
File created	C:\Windows\SysWOW64\Khlklj32.exe	Kemooo32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkaiphj.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Gqkhda32.exe	Fnjocf32.exe
File opened for modification	C:\Windows\SysWOW64\Ppnenlka.exe	Pakdbp32.exe
File opened for modification	C:\Windows\SysWOW64\Aabkbono.exe	Qikbaaml.exe
File created	C:\Windows\SysWOW64\Gohlkq32.dll	Ppnenlka.exe
File opened for modification	C:\Windows\SysWOW64\Cancekeo.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Mnknop32.dll	Jocnlg32.exe
File created	C:\Windows\SysWOW64\Apjfbb32.dll	Ljpaqmgb.exe
File opened for modification	C:\Windows\SysWOW64\Qppaclio.exe	Ppnenlka.exe
File opened for modification	C:\Windows\SysWOW64\Qiiflaoo.exe	Qppaclio.exe
File opened for modification	C:\Windows\SysWOW64\Qapnmopa.exe	Qiiflaoo.exe
File created	C:\Windows\SysWOW64\Knaodd32.dll	Abcgjg32.exe
File created	C:\Windows\SysWOW64\Afcmfe32.exe	Aagdnn32.exe
File created	C:\Windows\SysWOW64\Pakdbp32.exe	Pcgdhkem.exe
File created	C:\Windows\SysWOW64\Ppnenlka.exe	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Aagdnn32.exe	Abfdpfaj.exe
File created	C:\Windows\SysWOW64\Jnblgj32.dll	Cancekeo.exe
File opened for modification	C:\Windows\SysWOW64\Ekimjn32.exe	Ekgqennl.exe
File created	C:\Windows\SysWOW64\Fqphic32.exe	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Gadeee32.dll	Fqphic32.exe
File opened for modification	C:\Windows\SysWOW64\Khlklj32.exe	Kemooo32.exe
File created	C:\Windows\SysWOW64\Qapnmopa.exe	Qiiflaoo.exe
File opened for modification	C:\Windows\SysWOW64\Bmbnnn32.exe	Ampaho32.exe
File created	C:\Windows\SysWOW64\Mjbaohka.dll	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhda32.exe	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Leboon32.dll	Kplmliko.exe
File created	C:\Windows\SysWOW64\Kngmnjok.dll	Qiiflaoo.exe
File created	C:\Windows\SysWOW64\Fbaahf32.exe	Fqbeoc32.exe
File opened for modification	C:\Windows\SysWOW64\Jbccge32.exe	Jeocna32.exe
File opened for modification	C:\Windows\SysWOW64\Lpepbgbd.exe	Likhem32.exe
File created	C:\Windows\SysWOW64\Ojnfihmo.exe	Nbebbk32.exe
File created	C:\Windows\SysWOW64\Chjjqebm.dll	Pcegclgp.exe
File created	C:\Windows\SysWOW64\Kngekilj.dll	Ihpcinld.exe
File created	C:\Windows\SysWOW64\Jbccge32.exe	Jeocna32.exe
File created	C:\Windows\SysWOW64\Hlqeenhm.dll	Kefiopki.exe
File opened for modification	C:\Windows\SysWOW64\Dcnlnaom.exe	Dalofi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5248	6140	WerFault.exe	187

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljbnfleo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhckcgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmdkcnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdaile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egegjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjocbhbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbccge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmodajm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofjqihnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcegclgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abfdpfaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapgdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kapfiqoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljpaqmgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbebbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aagdnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagmdllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajjjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefiopki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Binhnomg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnljkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekgqennl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbncapd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhldbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcdeeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojnfihmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfccogfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnebo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhffg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqbeoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5dc135916bb3611791a5794b52a8cd923648f346a8f4d3d6736ec1358e8453aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kifojnol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cancekeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnohnffc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jldbpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noblkqca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnenlka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qikbaaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampaho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdpad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqkhda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekngemhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iialhaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplmliko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofefp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcgdhkem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcgjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbgdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjlalkmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfihbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oblhcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qapnmopa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afcmfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqphic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbeml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabkbono.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeapcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piocecgj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onnnbnbp.dll"	Piocecgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpiijfll.dll"	a5dc135916bb3611791a5794b52a8cd923648f346a8f4d3d6736ec1358e8453aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijgd32.dll"	Ekgqennl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifcnk32.dll"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jldbpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abcgjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acccdj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll"	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdjokcd.dll"	Kemooo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaokcqj.dll"	Lcmodajm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjhkmbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgjo32.dll"	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeocna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qppaclio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngekilj.dll"	Ihpcinld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfaapfi.dll"	Gnohnffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlqeenhm.dll"	Kefiopki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holpib32.dll"	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chjjqebm.dll"	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higplnpb.dll"	Aagdnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njonjm32.dll"	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pekihfdc.dll"	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglafhih.dll"	Iojkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kapfiqoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enhifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a5dc135916bb3611791a5794b52a8cd923648f346a8f4d3d6736ec1358e8453aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfihbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohlkq32.dll"	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knaodd32.dll"	Abcgjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbhiiol.dll"	Bmbnnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbjkg32.dll"	Ampaho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnblgj32.dll"	Cancekeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadafn32.dll"	Nofefp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljpaqmgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdhilkd.dll"	Jbccge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajbfciej.dll"	Acccdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qikbaaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fegbnohh.dll"	Ljbnfleo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkoiaif.dll"	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekmfnbj.dll"	Bapgdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iialhaad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 640	3444	a5dc135916bb3611791a5794b52a8cd923648f346a8f4d3d6736ec1358e8453aN.exe	89
PID 3444 wrote to memory of 640	3444	a5dc135916bb3611791a5794b52a8cd923648f346a8f4d3d6736ec1358e8453aN.exe	89
PID 3444 wrote to memory of 640	3444	a5dc135916bb3611791a5794b52a8cd923648f346a8f4d3d6736ec1358e8453aN.exe	89
PID 640 wrote to memory of 1996	640	Ihpcinld.exe	90
PID 640 wrote to memory of 1996	640	Ihpcinld.exe	90
PID 640 wrote to memory of 1996	640	Ihpcinld.exe	90
PID 1996 wrote to memory of 3840	1996	Iojkeh32.exe	91
PID 1996 wrote to memory of 3840	1996	Iojkeh32.exe	91
PID 1996 wrote to memory of 3840	1996	Iojkeh32.exe	91
PID 3840 wrote to memory of 588	3840	Iialhaad.exe	92
PID 3840 wrote to memory of 588	3840	Iialhaad.exe	92
PID 3840 wrote to memory of 588	3840	Iialhaad.exe	92
PID 588 wrote to memory of 5052	588	Jldbpl32.exe	93
PID 588 wrote to memory of 5052	588	Jldbpl32.exe	93
PID 588 wrote to memory of 5052	588	Jldbpl32.exe	93
PID 5052 wrote to memory of 1528	5052	Jocnlg32.exe	94
PID 5052 wrote to memory of 1528	5052	Jocnlg32.exe	94
PID 5052 wrote to memory of 1528	5052	Jocnlg32.exe	94
PID 1528 wrote to memory of 4532	1528	Jeocna32.exe	95
PID 1528 wrote to memory of 4532	1528	Jeocna32.exe	95
PID 1528 wrote to memory of 4532	1528	Jeocna32.exe	95
PID 4532 wrote to memory of 1784	4532	Jbccge32.exe	96
PID 4532 wrote to memory of 1784	4532	Jbccge32.exe	96
PID 4532 wrote to memory of 1784	4532	Jbccge32.exe	96
PID 1784 wrote to memory of 4808	1784	Jeapcq32.exe	97
PID 1784 wrote to memory of 4808	1784	Jeapcq32.exe	97
PID 1784 wrote to memory of 4808	1784	Jeapcq32.exe	97
PID 4808 wrote to memory of 3936	4808	Jllhpkfk.exe	98
PID 4808 wrote to memory of 3936	4808	Jllhpkfk.exe	98
PID 4808 wrote to memory of 3936	4808	Jllhpkfk.exe	98
PID 3936 wrote to memory of 1056	3936	Kefiopki.exe	99
PID 3936 wrote to memory of 1056	3936	Kefiopki.exe	99
PID 3936 wrote to memory of 1056	3936	Kefiopki.exe	99
PID 1056 wrote to memory of 760	1056	Kplmliko.exe	100
PID 1056 wrote to memory of 760	1056	Kplmliko.exe	100
PID 1056 wrote to memory of 760	1056	Kplmliko.exe	100
PID 760 wrote to memory of 1244	760	Kapfiqoj.exe	101
PID 760 wrote to memory of 1244	760	Kapfiqoj.exe	101
PID 760 wrote to memory of 1244	760	Kapfiqoj.exe	101
PID 1244 wrote to memory of 1492	1244	Kifojnol.exe	102
PID 1244 wrote to memory of 1492	1244	Kifojnol.exe	102
PID 1244 wrote to memory of 1492	1244	Kifojnol.exe	102
PID 1492 wrote to memory of 3196	1492	Kemooo32.exe	103
PID 1492 wrote to memory of 3196	1492	Kemooo32.exe	103
PID 1492 wrote to memory of 3196	1492	Kemooo32.exe	103
PID 3196 wrote to memory of 4792	3196	Khlklj32.exe	104
PID 3196 wrote to memory of 4792	3196	Khlklj32.exe	104
PID 3196 wrote to memory of 4792	3196	Khlklj32.exe	104
PID 4792 wrote to memory of 3632	4792	Likhem32.exe	105
PID 4792 wrote to memory of 3632	4792	Likhem32.exe	105
PID 4792 wrote to memory of 3632	4792	Likhem32.exe	105
PID 3632 wrote to memory of 664	3632	Lpepbgbd.exe	106
PID 3632 wrote to memory of 664	3632	Lpepbgbd.exe	106
PID 3632 wrote to memory of 664	3632	Lpepbgbd.exe	106
PID 664 wrote to memory of 4580	664	Ljpaqmgb.exe	107
PID 664 wrote to memory of 4580	664	Ljpaqmgb.exe	107
PID 664 wrote to memory of 4580	664	Ljpaqmgb.exe	107
PID 4580 wrote to memory of 5024	4580	Ljbnfleo.exe	108
PID 4580 wrote to memory of 5024	4580	Ljbnfleo.exe	108
PID 4580 wrote to memory of 5024	4580	Ljbnfleo.exe	108
PID 5024 wrote to memory of 2924	5024	Lcmodajm.exe	109
PID 5024 wrote to memory of 2924	5024	Lcmodajm.exe	109
PID 5024 wrote to memory of 2924	5024	Lcmodajm.exe	109
PID 2924 wrote to memory of 2040	2924	Mhldbh32.exe	110

C:\Users\Admin\AppData\Local\Temp\a5dc135916bb3611791a5794b52a8cd923648f346a8f4d3d6736ec1358e8453aN.exe
"C:\Users\Admin\AppData\Local\Temp\a5dc135916bb3611791a5794b52a8cd923648f346a8f4d3d6736ec1358e8453aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\SysWOW64\Ihpcinld.exe
  C:\Windows\system32\Ihpcinld.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\SysWOW64\Iojkeh32.exe
    C:\Windows\system32\Iojkeh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\Iialhaad.exe
      C:\Windows\system32\Iialhaad.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3840
    - - C:\Windows\SysWOW64\Jldbpl32.exe
        
        C:\Windows\system32\Jldbpl32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:588
      - C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Khlklj32.exe
        
        C:\Windows\system32\Khlklj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        35⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Qppaclio.exe
        
        C:\Windows\system32\Qppaclio.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:488
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Ampaho32.exe
        
        C:\Windows\system32\Ampaho32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Bjhkmbho.exe
        
        C:\Windows\system32\Bjhkmbho.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:660
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:428
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        75⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        93⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        94⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6140 -s 416
        95⤵
        Program crash
        
        PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3056,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=3832 /prefetch:8
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6140 -ip 6140
1⤵
PID:5204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
395KB

MD5
f06a88b079f1bfdbc5a2fa3d0bb30d0a

SHA1
2bafef42f420694a611b36a4c4ba56ee57157729

SHA256
7230d9397a83a08b6b7a0c2c294f39dcb066ae945811f03d1a0ca9ca8529fc51

SHA512
cb957574c9fa33edbbfe895cedfd441767054f5f5da51a541ceb2413bd650d64797e74c7db23b8305e40991480d61a470d8adde319299fc6e4218975cf5f8c67

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
395KB

MD5
066bb3946f75fe96430023d06e1c4de4

SHA1
4941d9a8e7741d7757e1b388e1e9cb2e1c2e9c46

SHA256
bb827427b8d0f9696265c266d570a8d6758da3f6cdc3cdb789b6295761c498b5

SHA512
81893172174bb6e1dd52dbdac88d1a36cdc17513c3d523bded7b82b4f8768bc6583f585f559170d6ebd52b16bc0ff7d6290d758d801ad7020ea707fce06f2bb7

Download Submit
C:\Windows\SysWOW64\Dalofi32.exe

Filesize
395KB

MD5
740ed347248ca3daf8d77255cf3526a8

SHA1
9eabb67eef1b158f5933eccc2a9fc3760d01b715

SHA256
586041ee89ac46fb24009017555e52995335e8ca86a052c0ee125819f3fe0434

SHA512
00c83832d5adc4a2dc8671a3def27b24221068229b2b1780b91551e5562dfd08beccc374d5b6be552a65bbd08b2998631896803233e2069d9005d4e30fc2155c

Download Submit
C:\Windows\SysWOW64\Ddmhhd32.exe

Filesize
395KB

MD5
1abe7749bd932426083e84cecefb0170

SHA1
6ccb78a7c900af4aa0381f0a270b3acf5f85b005

SHA256
3d0ea583d21810092f7fca2be8a05f1255142147db37fab717f97bf2d406b287

SHA512
265297a4a0f1125e83d91d4a0b7daf8e84d9f27eb28e1d25166e8b3b9c7c6bc355ec898f7602319b387eceb020b28bf2b71de2d09e224a069392a4f9531a9feb

Download Submit
C:\Windows\SysWOW64\Ecdbop32.exe

Filesize
395KB

MD5
60fbbda77c189a53b485f7ef375863ed

SHA1
6cc564c28a3a19c422d39650552376c0e665e51e

SHA256
bb94ab68248f196e7b2431238efd7e4ff35315e052fe69c6526773c87d0c011a

SHA512
7f8dc84d9ac3a695e191c288b15cbc06bb1063d3f3cb97deb7a50a5b45128a38a726a170ff558cf7524c9f96b4713b83124be749f14af6b630551b1918667b2e

Download Submit
C:\Windows\SysWOW64\Ekimjn32.exe

Filesize
395KB

MD5
2df22c8119b453a8bcde6a1d3151af0f

SHA1
dd45fd254bf510ceb7d1cb1d302a84cf1720955e

SHA256
e6258945b25ef2a491b8d5030efc4c9a03aef704d5cca495d3f15aadbe27230e

SHA512
f711128b3fc56ba5326792a4d7dec4a172d4f58b22de51403a6056fbc86982e7375b02b33f5ddfa7a03716bb7f4c3eae09462c690f88830afbac4519918ecba5

Download Submit
C:\Windows\SysWOW64\Fbaahf32.exe

Filesize
395KB

MD5
7ce83694af5094e9a9ae1b74d52469b4

SHA1
8ebd15589ad7875193be14ea3343c0bf1a9dde6f

SHA256
8b42ccf67600394938e89cc2376eef3c2ca9798c5203d983705155b9952e69c0

SHA512
5aeec371a422c7996bed0048b1b9972fe398647677e59add099df1349cfcf8461834bc50869526e3706300b414d2fc84c743450868ba7855090020d31acf7955

Download Submit
C:\Windows\SysWOW64\Fkcpql32.exe

Filesize
395KB

MD5
5d926acae7dc2c3004527bb9859dd18c

SHA1
d1d0336ca1ada2c25d06db70d2b64d8621a63569

SHA256
319a6b5d6a9d1389d4b7909861841c0695fd47a1ef3d2efafc9561da3d887f5d

SHA512
925f53fe760845b1b1fa40143d2b70d7cf95c62e9cf87a1cae41dbc991332bd139d6402239d66e9cdf103aabd4860f008aa4ad0f5262b0da74b7d4c9d1b8e54e

Download Submit
C:\Windows\SysWOW64\Fqbeoc32.exe

Filesize
395KB

MD5
299a09d18936f0c39e134d386615c6ea

SHA1
ddc3baf6758854ab41194e446563c4e7418a6a4a

SHA256
ebe82189094708983f84eeb3232c02af319f87bdadce39ce1f1b47864c5b2a6a

SHA512
2c36ceef909dc537c1907166289d224079c08f009d6bdea8a4496bbd0ff2c74536e299b15c28981cd08a5df4009f42f5395db04d6ea39b51cedf4337640ffaba

Download Submit
C:\Windows\SysWOW64\Gqkhda32.exe

Filesize
395KB

MD5
5085fe4e3efc765a9d9c145dac7935b6

SHA1
e523bf8a2f3c492f55649bbeb584a734da0e6bf1

SHA256
2f6606f7ae62c8b3d40fee9c463eac5f70aa3c1d67d9368589c14addce6ab50a

SHA512
fc2fdc7b18af47759d9da9aba41bb648870626b4d2c1550e55457fa4e4be0b8380b044ac85182a7f8d6a883ceefa2a3e73a76ec5328dea4a109bd9302e027a29

Download Submit
C:\Windows\SysWOW64\Gqnejaff.exe

Filesize
395KB

MD5
fd7cd6d0dbe98512e550054e785144b0

SHA1
f39a5c723b7c927eb2847aaef072981ceafade9d

SHA256
46c0aff5f6fb0536cbd2e32c28a5fba76443ff71a95ad1b2ae3d47f1d4d66cd5

SHA512
5bc46ec25feff36bb3fc3425b1855eea54547ceb83f4c12e956f4ba6ee1b4336336b82e76fa75e49ad73ea052d2b32c643317cf3ad085d3bcbe1b4c5beac4fdd

Download Submit
C:\Windows\SysWOW64\Ihpcinld.exe

Filesize
395KB

MD5
48575a1f82f4059ac50b3366770bdda5

SHA1
a89a4163549e4a9d7ebe1da6d0311e507bee5173

SHA256
6929495474fbfe4aa37871cb63ec2d3d8a3f9eee83d0563f0e2206b3591acb9d

SHA512
f8d9ce541b5a13360bb8d71c8ba518706dc24ab262432036bcf259003bd3f79ae51ccd4ed6d75f750eb119e5cf6c5cb73dc14f8a1b695e6cb37294fb4831ce4b

Download Submit
C:\Windows\SysWOW64\Iialhaad.exe

Filesize
395KB

MD5
8cd052776af9db621dcf21315c80c56a

SHA1
f65ca6c9610bacd5d3bccfd2891b290fbb599cbc

SHA256
d47fc596e8afec611a9fa0b6dde6ccdee222e7f8a03044f0e9a7652b2ba5d7e6

SHA512
28b41554eec6dc297b91eb659bc88770552e5de05717d40cafd064520183aea4756b57d6a9ad66feaab850202073e8d3745d8cd84a6e89e0f8a8b6524f5ad9a3

Download Submit
C:\Windows\SysWOW64\Iojkeh32.exe

Filesize
395KB

MD5
fcc3de6a44286459c7f0e25eff1df9de

SHA1
ad688789d5beba1175e62406c6e188f8bff4a36f

SHA256
d83119175185962678a5415681286f0e59b8c4d8d5d477dceeffd9b83998608e

SHA512
5c3b7f231c7029092714f8ccb7e0ecac86881fc663dc1467ec2100f517de3533867f72ed55f0c108fb8a1f4c4d5f4fef460e40a3238957ddba48ca6b376c4b98

Download Submit
C:\Windows\SysWOW64\Jbccge32.exe

Filesize
395KB

MD5
26e2a601d5c8246c148b7ad007fc21a4

SHA1
5485018f01fbbe899e41235b7c2c306e41e4e874

SHA256
20bb5870cc3918a55acfae7c97cf14428f7c7065f33ef77f3cd8082d2747360e

SHA512
c1384869d9a86652ada61d62fdbcef10497c48d05768dfc058bf6b0ecd102d014769ddbdf7336eb32a91ab93b2a07495cb42ab4745b7c07adc942e4024d33bf7

Download Submit
C:\Windows\SysWOW64\Jeapcq32.exe

Filesize
395KB

MD5
9da52f454644aacd61a36100aae8782e

SHA1
5e795ce5c7cb6f51b649119cc9609335ef6ecc31

SHA256
76b78eedbe5e0c44b75c9ef7d5e34c00c1a84723e52c2d77c55cf56180598ac4

SHA512
7f4025e4c67bd0c181e7784cd98b96b26c771d0316302c5b8f732ac868577de4956d9c69630897cff9a740b90b82cedc83bbb5acc10532df70b85d23a48c7898

Download Submit
C:\Windows\SysWOW64\Jeocna32.exe

Filesize
395KB

MD5
bdfaf857ab23ecea02e90a97068c2cd8

SHA1
c5e8a710ac2510bf9ddc1394c6f964d0dabab280

SHA256
a965d3d5f5177b8a17760feafa079f4f7fd4333024147675cc48b8eba40c999d

SHA512
4bfb6fddcf043567f36b8c16db315bd5f354f53c0687d3ffe7edc3ede84db4de8d9643d44d942f010a74f4da126badd529037ffa4e912f064f80557a0e831d49

Download Submit
C:\Windows\SysWOW64\Jldbpl32.exe

Filesize
395KB

MD5
b3ed161c6a63596c58c60217c86c0230

SHA1
11c5fd2ecfa54303c24d3c9c8fa7bbe0e4a0b9a2

SHA256
90937b2bc7c7aec629551c196f50a48def4392b7e85ab65e2a8ab5e40b8cc545

SHA512
6a53a762566c3983fa725feb6a61842346874fe7fcfab5801539ce7e9905704d9d336df231a84d2a39490654c3b0530368234a9c33865733a4a75256d0a6f3c4

Download Submit
C:\Windows\SysWOW64\Jllhpkfk.exe

Filesize
395KB

MD5
c34e14f50a44849cc484c0238ed8dc78

SHA1
179981af70314ccd1a2885338694c00ec910d394

SHA256
773b9ee001ed102ae798199dbff5f18f78076c860532a7c72f2abb869cb8bfff

SHA512
bef901ae41edd5816567342c2de34b5bdf7fde2782319d73c2cbc59034bac4eba0da38b622f4ce9fde5e506930dc2ae3e5450a0d4795e4bfd2600091fc49ec8f

Download Submit
C:\Windows\SysWOW64\Jocnlg32.exe

Filesize
395KB

MD5
f407873c7e306f1b4754c88ce914112c

SHA1
60544106d8d3e5a5595682818d01649778bd8486

SHA256
e28d5945968a2356f894a184d7c56f8b560a4eb885cecb46dfd6ea0c8d32ffaf

SHA512
c04ed07223a91ba0bca6cc4e84ee9fc76e09cb5119bca571b62598ae42d0e37479b21b698cca8d27edd054821fbcfa74b821f5be6977313131a8925d00a04042

Download Submit
C:\Windows\SysWOW64\Kapfiqoj.exe

Filesize
395KB

MD5
b1383a37e6072232b9999ed9df2f2276

SHA1
e1e42d16815bf02b303ce004f9b39f4cbb8cc9ca

SHA256
4510295f9224b1ef51ac4f7ffb912b8d1aa9810d161944d27987aea57d32b06b

SHA512
ed9ceb3f404a4c7487159a5a468b47daeee4b62a0beaea458084edc4a1ec44e2324456229176e2bbef9cae8ec42496165fedb52854dab05f3093cc2555ccce2f

Download Submit
C:\Windows\SysWOW64\Kefiopki.exe

Filesize
395KB

MD5
e141bb448846ed52525577a91a9b8271

SHA1
16367c74f4ad5d4a40acb9afc1be2c528e7a8fd8

SHA256
77f7edf05122fbf9a5370b28417e3da8827639345cdb1dd304536bdb65d8d496

SHA512
d1599887ecdb497a485d85b7c1e68bdfd7169d194f25ecf9ab553a7ec1fb19770566e263a0c79f51be4af21d7c9322e0a509dc600429b338c33e7b830b7060ab

Download Submit
C:\Windows\SysWOW64\Kemooo32.exe

Filesize
395KB

MD5
7c9e4b46ea09a29d723e10089c7fa1ed

SHA1
72a3ed19ccb4a05f085993eb76119f972158cbdf

SHA256
999eec6bc452f10ec5c67a8008b34559d630c2b4ce3c3d7708a5c9f04d44fff4

SHA512
c58e69146070f96a48e64cafb69fd0de83802b2c962b5214795fcd1bad27785cd7b050ad52b19fc3714e6051d107459208b41041089bac80de2a98ca4f861151

Download Submit
C:\Windows\SysWOW64\Khlklj32.exe

Filesize
395KB

MD5
fd19a7e42a04310c1dda719349f7dcd0

SHA1
60a97cc0836bbf025075703a22ce5dd824f0b554

SHA256
f58fe7a648c871a8b495392027dd5372b498cb4341e1af96bcc125020d51d6d1

SHA512
b46232d24b0e698d5a7772f19b1dca0d5abcc224c67d3d5fedcb3beb76559553a78650ad6714bc9433b24adfccfe5fe3a74dfae20f5f40a02020e37fac883375

Download Submit
C:\Windows\SysWOW64\Kifojnol.exe

Filesize
395KB

MD5
0d2c586c13015e2ee3313513044fd3a1

SHA1
36b3c4f712e9d9b6787077a3b79f8fc7bb9284b1

SHA256
750bd70c7af03c90d9945b0a734f87d91f48d5e5ef531ec2761a4f32fdc89093

SHA512
d08c48d6b444b00918cd8f8126dbfeb2afc9c194fbcb7dd14ca562a65ec21d54a5bce2f3d40196864861e5e97dcf6ed94588b1fedf5cca9246a02bb6a875a900

Download Submit
C:\Windows\SysWOW64\Kplmliko.exe

Filesize
395KB

MD5
77b696420419897e8adb623a4f6798a9

SHA1
34e6f417532995d83c5760e2119dd6ef28d02ab9

SHA256
f8424deab1eff3af6edf2b179e538bb40c6bacc60734ed54b8fee424b3d9b686

SHA512
e8b9cf94c49290f4c992314387a5df23512017060749c001e9f5cccfaabe07d354b7252c30ac5ae7bbf7c23840728927f34c77cf87f13dad45014b02b9c118e6

Download Submit
C:\Windows\SysWOW64\Lcmodajm.exe

Filesize
395KB

MD5
bada8c4f12ee09738109cdc98b10e6f4

SHA1
8b8240664d11b41eb17ca26f2c91ec1dc81d7c5c

SHA256
c415c803382b8521efc608128be32b2ba807ff3f9b2dc2e6c1cfd0fb237e6f58

SHA512
b84de75c57952edf2d25fc7946e0a7ef2505a26af80bfaa5752411f6cce6083280be66dab6a99493fb0b049bad1bd09d858a8f54701a2816252ae6f767513f3f

Download Submit
C:\Windows\SysWOW64\Likhem32.exe

Filesize
395KB

MD5
8d00949c9e7bb92b0716ef79d9064e67

SHA1
1c86d12fe1a116b8dc6c6135f655a4ac3369962b

SHA256
e98ad69a55290b53d2bab8e542b07480fe8cb6a7d7c7b87465f14e80136f08bc

SHA512
3a3977119251bf3dbcb9052a967779c1e077bfac1565eb4d5c2a18c2ccf788ab9ab3523159ad2741c150a21b5c2643a85b881090dc0d879e6401f731bb988d40

Download Submit
C:\Windows\SysWOW64\Ljbnfleo.exe

Filesize
395KB

MD5
e43a344a02d93514bd6a4d5f4ca446e1

SHA1
0d5f8a78d3cfade72924228afaadd377c3105e4f

SHA256
4cb4afa5a0571efcdd7fe1dd015639a43996d757de687d4d8f27c6d1a79d6ede

SHA512
ce5abbbd87c1844f7309d499b3e04d43427101f60e9aea3149b76c1667aeac1779c91b1e53fbc10dd52a4d71b4c75d2aa476ffd5dda97981259f949c2c63a098

Download Submit
C:\Windows\SysWOW64\Ljpaqmgb.exe

Filesize
395KB

MD5
aee1892d93dd8b5322b2cbaafda658a6

SHA1
3c5839c6195924ce9fb3c6e9dd6b61beddb6bd0a

SHA256
c7472855ff0f0666b12cd9bb1677a9035e7a985849883fcc04330d3263dadc1c

SHA512
34bb6a79fe65322566b401df81e789bb3c086799f2561d8c72947e1bc3a8e7955209ba1d190ae0a3716038e818b733efb4e9b5a164fd6409eb1c2619324980ce

Download Submit
C:\Windows\SysWOW64\Lpepbgbd.exe

Filesize
395KB

MD5
9b80140567776af39f0edeb44560c66e

SHA1
f728997262c9dd5a7e1e028947a50dbee52c8bf7

SHA256
5a8d40c183fc1979b60527a3ebe31a7feef1c2048904913095e4a65d1de64b57

SHA512
7dde6a267daf54c3069659f95baa634a98edd1369e7ca64efb1b99a3730a4a89bfb34f7be03679919587f153a078b37cfa948bb2d988c06d04b6eb00d50e8b1d

Download Submit
C:\Windows\SysWOW64\Mcdeeq32.exe

Filesize
395KB

MD5
a735a22f1ca0cb528b81684f57cd56a4

SHA1
ac679a345a488abc3b1fad54b2a9003bb6ab2f8d

SHA256
bc6b6ad3be4e2509dee1bf524eb9008eeea23c934c2c336ab4eeff05d2dfbb87

SHA512
049ba6116e86b914d889816b8ddcebc304a495b9ff654a30d7d6eec9b79501b04b7ae8bcd4116f221119ac4262696d16b79146078dfb6225051772a7819893af

Download Submit
C:\Windows\SysWOW64\Mhckcgpj.exe

Filesize
395KB

MD5
837cc68c12e88ccc92d27b49b9eef5ad

SHA1
4334f4e9240dcd768f3284c377baa2f9e3ea618f

SHA256
35ac2e7e351c92c94db1307943641ac553b49db9a4e2e5967bae5ac8a6863eec

SHA512
ff6cdda52ea5da6e13acca6500302dfa6c58a28ca1b1f12c6ed6e5054d420bf81ca496f989b519e3db3f8ff258b62f8c67899fe9ac93f326e5ac789d166574bc

Download Submit
C:\Windows\SysWOW64\Mhldbh32.exe

Filesize
395KB

MD5
1b6f89edad76eebc174c50b015bcceb2

SHA1
6852bf85b297bc5c093c883dca93de496d6136a4

SHA256
41bf57cda505326562bd63b49a8f5cbe49ef49c52a516f9f84be3d1c145f5a4f

SHA512
56e2d5fef1372a5a5ea4ce17b59558e230c13156b16feabf00a4262dcb850a3b52b1537def46c34737987d719170146e6c208d4474e02f95adcda4cedf648217

Download Submit
C:\Windows\SysWOW64\Mjlalkmd.exe

Filesize
395KB

MD5
7bf258ee204a35560c535c21c72fbe33

SHA1
6f8ff95dc6d03b8e14d5eec080aec3ef2c3211bc

SHA256
e6b6bde8b1a8cb251323c09d5c554d8256372f15d0c9ea24424adab2cb76bca0

SHA512
e25328533c3945d9ee23ca87c38f552c1b38d78cb5d14e50550c95370100cec27051fce991c1a7641fda3648d1674b08b362dc796910d4f356fcca76ef87ffea

Download Submit
C:\Windows\SysWOW64\Nbbeml32.exe

Filesize
395KB

MD5
1f815faa445cfda1a94c5b1672111c8e

SHA1
5649039851f3f4db7f6a375217314234844b185e

SHA256
ae32b67a54a95346da8a4ac54447e5379330adb280a6a8d50315a63712a3ec6f

SHA512
7c811279ed7b9a823ea6d98da8ca43b6fed57f072ba6c42c561d9f1b353d6e13cdac6e77071657c92b73a4b897da8ed36745736f08d3057c8fec553b88ffb673

Download Submit
C:\Windows\SysWOW64\Nbebbk32.exe

Filesize
395KB

MD5
6615c0c47a74d4adef8297cdfec121d5

SHA1
bc2e50997926dc08273b18f5a3fa7ae451b2332b

SHA256
0765789afb21f88596dfd162e1ed1c7bea836583b96d0d42759fb8c2088b8956

SHA512
3be62eb729c1256a8c30d664536d22db28c3df8b5e087bbc2350f2b0ed9585cbae152be3fabbca8c99809cfe5925747f481ed925e0a91eb7eb3236d7cc671170

Download Submit
C:\Windows\SysWOW64\Nfihbk32.exe

Filesize
395KB

MD5
4918268e6feed661384a29318d19df47

SHA1
d7f7f0bd54412f668866d5fa7858cd8070342573

SHA256
586b3f4bf618a4474dd796e02978d6946c35a8f88b6eedf1980d6ba330bad69e

SHA512
157b6b5af7d34c4d2cfaf7983ede85411a828ce2b662715a7bf338c893bdcf9b1283b4365811d16e8dabb027c0fb7eed81c711bf0c147bc83cc72abade9bdd4b

Download Submit
C:\Windows\SysWOW64\Noblkqca.exe

Filesize
395KB

MD5
2395f6dfed3ede799dc3908883015f25

SHA1
0736f61ad3d4cf82457652e43cb6787b62f4838e

SHA256
f593e02b5faccd4508b5f2d0ea622dee9ce00acf3a56cabb1e86f8149d4a065a

SHA512
9100de414557a4cab7f52061d3236578b1d3c75aa32d5dd03d96bfabd626ec3838bdf1a47352b66f6e5019c7c653aef96e14578c9e83641bf00725743e28a89d

Download Submit
C:\Windows\SysWOW64\Oblhcj32.exe

Filesize
395KB

MD5
20ee6f3902b6733d35ac6587b21b6f0a

SHA1
10715797c4af78bde8c6d0c1b73958d0ebb1734f

SHA256
6514d62f5b41476034af2ca06b16ee4442dd533c2aa79272ffe35f5a0776017a

SHA512
5a4bd0158ad17c18069437f74919285785319ae500ec43793e4754887d8a2a557e5f5de570c845e49a022c4bf5b774ca0d6eca2dc6b6eb9917b36b5d3b0ae248

Download Submit
C:\Windows\SysWOW64\Obqanjdb.exe

Filesize
395KB

MD5
8a3b6f8cc997ace35a392ee5811de530

SHA1
bdd4ae6951a0c887957b372748f977509aa16252

SHA256
303980a9093520e8d6567bc59fcfe4c6644b49487ccfd89c79cf04cc5dc1723c

SHA512
8e16ad24e5ef406dffe20acf183e81d7155b8d5e4b54a7e2f5e2e8378c569a6b5455cba9f21723d15fc04e9f993e031983f7ccf2d1922daaeed1063073598ef3

Download Submit
C:\Windows\SysWOW64\Ofjqihnn.exe

Filesize
395KB

MD5
8b00f634dd79fdbf3f914ba1d307bf62

SHA1
25bfce27e8b7ca1a5d3fc1079c7fced518b9b9b9

SHA256
aa1880f337cf917c59f12370626e2b80ce8aa611c1ed50e72d096e735dc5d3c7

SHA512
1f2e06c92e47fa5aa1ef499c96727d67d7d07e216085ff71c8b52aa5a4bb4f5cb47c55ff95ebba6d915cdb4b48b7f7f3f8123af3db4ecd3cf70a3953aecf46e1

Download Submit
C:\Windows\SysWOW64\Ojnfihmo.exe

Filesize
395KB

MD5
b4bdfcedb99711af955d04ce8d036e5c

SHA1
3b10b4f9a43ffcd7a90fd217a477ba7ac82bf55f

SHA256
7aea32e746736c27dd8188c9e602f8ea6f663895b4debbd33c12329d65d6b5ac

SHA512
39e53ec80ae202a7ee409bb450d303b11185f2e970d1d7a8e2262c287ff7b78366c3f94039f1f1579d0f52f00d556b2b4f7c394de63df95cfc83f23734e6abee

Download Submit
C:\Windows\SysWOW64\Pbcncibp.exe

Filesize
395KB

MD5
16afece24589b3f93832cfdd28a0996f

SHA1
52ee0e324412b0c72b6dadc469b35680b3959697

SHA256
21caa6d15baa0642f435a5a216184997974539567dcd74a40d842d4b76a57608

SHA512
e97f319f2ab9aa195c1fbf24e756afc6b39211628b6532ccc50d49bfe121ccd8eacf461055863325323ac4f189ef5a6f47b1efff57d744d6ad5eda28a23f8c64

Download Submit
C:\Windows\SysWOW64\Pcgdhkem.exe

Filesize
395KB

MD5
57d09cdf1774957e88fcf1d2591eb63c

SHA1
f06e5de0b6aa794554139ff5b82df867129c35f5

SHA256
7ee5f72fc9c8c4b5ec4ef10de14956611cb42d902cef2ee0d4ab96f5b17e905b

SHA512
1bd83670f21a7e45912cf13cb1968f786d00b94be1dccde4469e4b21a812118d1441fd4eb25554f70e71285ef5f1f6b8cb524eadd1293e65669dc9fe41172fec

Download Submit
C:\Windows\SysWOW64\Qapnmopa.exe

Filesize
395KB

MD5
f5eaca080a11b74ad1a955885da393cd

SHA1
1074ddc2cf4a86c33527a2b877f360a5b4405fd2

SHA256
bcc103121c41b770cbc4fa572113b579be719e276f1dcb186a3f14ffdcf3e29d

SHA512
4246dac18d899b05b421b19a379fadd8bb32d4b4400f71e6b128b57231778e9a8b317cef9a6cfe3f8c45876530c53cd4332638c22f2308032c3375d512292566

Download Submit
memory/316-281-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/428-466-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/488-341-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/588-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/588-565-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/640-8-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/640-545-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/660-442-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/664-144-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/760-95-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/976-370-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1056-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1244-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1264-200-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1456-376-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1492-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1500-472-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1528-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1528-579-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1648-458-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1664-305-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-592-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1904-293-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1912-451-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1916-224-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1920-311-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1996-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1996-552-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2040-176-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2156-247-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2224-327-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2348-299-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2360-436-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2568-183-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2924-168-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3132-263-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3176-412-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-120-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3308-335-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3396-231-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3432-191-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3444-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3444-538-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3476-317-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3632-136-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3676-428-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3840-558-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3840-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3868-358-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3936-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4000-287-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4072-382-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4092-418-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4100-269-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4120-256-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4176-239-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4184-207-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4244-352-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4264-215-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4272-406-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4364-400-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4372-275-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4512-460-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4528-220-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4532-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4532-586-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4580-151-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4648-388-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4792-128-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4808-599-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4808-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4844-434-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4928-394-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5024-159-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5052-572-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5052-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5076-364-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5096-333-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5124-478-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5168-484-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5212-490-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5256-496-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5300-502-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5340-511-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5380-514-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5420-520-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5460-526-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5500-532-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5540-539-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5604-546-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5704-559-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5748-566-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5796-573-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5840-580-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5920-593-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads