f7267e80274fdfc2ace87f66074153b3d289aad7e9956e696e086c5ac36cf01e

Analysis

max time kernel
125s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7267e80274fdfc2ace87f66074153b3d289aad7e9956e696e086c5ac36cf01e.exe
Size

96KB
MD5

e8fc8b077d17ca1a60ea45d8ac0d590b
SHA1

29aab5e65bca417e5a2ed83283e75b1545689509
SHA256

f7267e80274fdfc2ace87f66074153b3d289aad7e9956e696e086c5ac36cf01e
SHA512

057843e7ab9f93390b3fcf3bfdccc251a4464c77ca15258c89ab8eec0bb0ef875d377b96c717be937f101cb5039febb6c4d4aa87fe9183af24ec294fd6464350
SSDEEP

1536:7wjBa8YTCUibn6gEOrf5IdbQZJMJrOjcuS/i0UZT5sRQ6RkRLJzeLD9N0iQGRNQX:81M2n6gEOz5IOZmJrOjcuS/i0UZSe6SV

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jelonkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeolckne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koljgppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oohkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjkbnfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepineo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mojopk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odljjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbddobla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkgdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Okolfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omaeem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hgocgjgk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kalcik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbimjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjkbnfha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgocgjgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iholohii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnpjlajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcjldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkepineo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hepgkohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkohchko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Igmoih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilmedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijbbfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Podkmgop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Madbagif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhpgca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ielfgmnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jejbhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nakhaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oohkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hkohchko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iabglnco.exe

Executes dropped EXE 64 IoCs

pid	Process
1372	Gjkbnfha.exe
4036	Hepgkohh.exe
464	Hgocgjgk.exe
3040	Hqghqpnl.exe
2476	Hkmlnimb.exe
2392	Haidfpki.exe
1528	Hkohchko.exe
2408	Ielfgmnj.exe
1924	Ilfodgeg.exe
1920	Iabglnco.exe
396	Igmoih32.exe
1284	Iaedanal.exe
3644	Iholohii.exe
1460	Ilmedf32.exe
3596	Ijbbfc32.exe
3464	Jdjfohjg.exe
3840	Jnpjlajn.exe
808	Jejbhk32.exe
4224	Jbncbpqd.exe
812	Jelonkph.exe
4340	Jjihfbno.exe
2740	Jeolckne.exe
1840	Jjkdlall.exe
1332	Jaemilci.exe
2096	Koimbpbc.exe
4312	Koljgppp.exe
1868	Klpjad32.exe
4972	Kalcik32.exe
428	Kkgdhp32.exe
1740	Loemnnhe.exe
3060	Lklnconj.exe
2260	Leabphmp.exe
872	Ledoegkm.exe
3736	Lkqgno32.exe
1640	Lajokiaa.exe
4128	Lcjldk32.exe
2824	Mkepineo.exe
3640	Mdnebc32.exe
1844	Mcoepkdo.exe
4056	Mdpagc32.exe
1712	Madbagif.exe
372	Mlifnphl.exe
5096	Mddkbbfg.exe
4212	Mhpgca32.exe
1936	Mojopk32.exe
4756	Mdghhb32.exe
5044	Nakhaf32.exe
5076	Ndidna32.exe
1488	Namegfql.exe
4028	Nlcidopb.exe
3508	Nkhfek32.exe
2364	Nofoki32.exe
1672	Ohncdobq.exe
4508	Oohkai32.exe
4192	Odedipge.exe
3100	Okolfj32.exe
2128	Obidcdfo.exe
2560	Ohcmpn32.exe
3044	Okailj32.exe
4324	Oheienli.exe
2256	Omaeem32.exe
1336	Oooaah32.exe
1420	Obnnnc32.exe
1392	Odljjo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lcjldk32.exe	Lajokiaa.exe
File opened for modification	C:\Windows\SysWOW64\Mddkbbfg.exe	Mlifnphl.exe
File created	C:\Windows\SysWOW64\Bhejfl32.dll	Mhpgca32.exe
File created	C:\Windows\SysWOW64\Hgocgjgk.exe	Hepgkohh.exe
File created	C:\Windows\SysWOW64\Hkohchko.exe	Haidfpki.exe
File created	C:\Windows\SysWOW64\Pfqdbl32.dll	Ndidna32.exe
File created	C:\Windows\SysWOW64\Pbgnqacq.dll	Oooaah32.exe
File opened for modification	C:\Windows\SysWOW64\Pmeoqlpl.exe	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Jfdklc32.dll	Loemnnhe.exe
File created	C:\Windows\SysWOW64\Mdnebc32.exe	Mkepineo.exe
File created	C:\Windows\SysWOW64\Cfioldni.dll	Madbagif.exe
File created	C:\Windows\SysWOW64\Mlifnphl.exe	Madbagif.exe
File opened for modification	C:\Windows\SysWOW64\Oheienli.exe	Okailj32.exe
File created	C:\Windows\SysWOW64\Pmeoqlpl.exe	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Nlcidopb.exe	Namegfql.exe
File opened for modification	C:\Windows\SysWOW64\Obpkcc32.exe	Okfbgiij.exe
File created	C:\Windows\SysWOW64\Ilfodgeg.exe	Ielfgmnj.exe
File opened for modification	C:\Windows\SysWOW64\Jejbhk32.exe	Jnpjlajn.exe
File opened for modification	C:\Windows\SysWOW64\Jeolckne.exe	Jjihfbno.exe
File created	C:\Windows\SysWOW64\Klpjad32.exe	Koljgppp.exe
File opened for modification	C:\Windows\SysWOW64\Madbagif.exe	Mdpagc32.exe
File created	C:\Windows\SysWOW64\Ohnncn32.dll	Jejbhk32.exe
File created	C:\Windows\SysWOW64\Eknanh32.dll	Nlcidopb.exe
File created	C:\Windows\SysWOW64\Ipiddlhk.dll	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Fhmeii32.dll	Ohncdobq.exe
File created	C:\Windows\SysWOW64\Obidcdfo.exe	Okolfj32.exe
File opened for modification	C:\Windows\SysWOW64\Oooaah32.exe	Omaeem32.exe
File created	C:\Windows\SysWOW64\Obnnnc32.exe	Oooaah32.exe
File opened for modification	C:\Windows\SysWOW64\Obidcdfo.exe	Okolfj32.exe
File opened for modification	C:\Windows\SysWOW64\Pdngpo32.exe	Obpkcc32.exe
File opened for modification	C:\Windows\SysWOW64\Pbddobla.exe	Pkklbh32.exe
File created	C:\Windows\SysWOW64\Jjkdlall.exe	Jeolckne.exe
File created	C:\Windows\SysWOW64\Oacmli32.dll	Koimbpbc.exe
File opened for modification	C:\Windows\SysWOW64\Klpjad32.exe	Koljgppp.exe
File created	C:\Windows\SysWOW64\Cifiamoa.dll	Mlifnphl.exe
File created	C:\Windows\SysWOW64\Ohhbfe32.dll	Mojopk32.exe
File created	C:\Windows\SysWOW64\Pfbmdabh.exe	Pcdqhecd.exe
File opened for modification	C:\Windows\SysWOW64\Pdqcenmg.exe	Pbbgicnd.exe
File opened for modification	C:\Windows\SysWOW64\Hkohchko.exe	Haidfpki.exe
File created	C:\Windows\SysWOW64\Ghikqj32.dll	Iabglnco.exe
File created	C:\Windows\SysWOW64\Jdjfohjg.exe	Ijbbfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdnebc32.exe	Mkepineo.exe
File opened for modification	C:\Windows\SysWOW64\Okolfj32.exe	Odedipge.exe
File created	C:\Windows\SysWOW64\Oooaah32.exe	Omaeem32.exe
File opened for modification	C:\Windows\SysWOW64\Iaedanal.exe	Igmoih32.exe
File created	C:\Windows\SysWOW64\Hlnecf32.dll	Igmoih32.exe
File created	C:\Windows\SysWOW64\Iholohii.exe	Iaedanal.exe
File created	C:\Windows\SysWOW64\Ijbbfc32.exe	Ilmedf32.exe
File created	C:\Windows\SysWOW64\Lbnjfh32.dll	Nkhfek32.exe
File opened for modification	C:\Windows\SysWOW64\Hgocgjgk.exe	Hepgkohh.exe
File created	C:\Windows\SysWOW64\Cojaijla.dll	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Gccebdmn.dll	Ielfgmnj.exe
File created	C:\Windows\SysWOW64\Iaedanal.exe	Igmoih32.exe
File created	C:\Windows\SysWOW64\Kalcik32.exe	Klpjad32.exe
File created	C:\Windows\SysWOW64\Ebpmamlm.dll	Kalcik32.exe
File created	C:\Windows\SysWOW64\Oheienli.exe	Okailj32.exe
File opened for modification	C:\Windows\SysWOW64\Jnpjlajn.exe	Jdjfohjg.exe
File created	C:\Windows\SysWOW64\Jejbhk32.exe	Jnpjlajn.exe
File created	C:\Windows\SysWOW64\Mojopk32.exe	Mhpgca32.exe
File created	C:\Windows\SysWOW64\Iabglnco.exe	Ilfodgeg.exe
File created	C:\Windows\SysWOW64\Igmoih32.exe	Iabglnco.exe
File opened for modification	C:\Windows\SysWOW64\Pbbgicnd.exe	Podkmgop.exe
File created	C:\Windows\SysWOW64\Ifoglp32.dll	Qpbgnecp.exe
File created	C:\Windows\SysWOW64\Mhpgca32.exe	Mddkbbfg.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdjfohjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koljgppp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklnconj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hepgkohh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkohchko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcjldk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madbagif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okolfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmeoqlpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqghqpnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkmlnimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjihfbno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkepineo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcoepkdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhpgca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjhlklg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piaiqlak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjkbnfha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iaedanal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koimbpbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Namegfql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofoki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohncdobq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igmoih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaemilci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkhfek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndidna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obidcdfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iholohii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbncbpqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeolckne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loemnnhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdnebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omaeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdngpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkklbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlifnphl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odedipge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcmpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okailj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odljjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbgnecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilmedf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijbbfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kalcik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkqgno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheienli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdqcenmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7267e80274fdfc2ace87f66074153b3d289aad7e9956e696e086c5ac36cf01e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mddkbbfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nakhaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obpkcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podkmgop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecpknke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qihoak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgocgjgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jejbhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jelonkph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f7267e80274fdfc2ace87f66074153b3d289aad7e9956e696e086c5ac36cf01e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iaedanal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpcjnil.dll"	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	f7267e80274fdfc2ace87f66074153b3d289aad7e9956e696e086c5ac36cf01e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gjkbnfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajbnn32.dll"	Koljgppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdngpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbjabqbh.dll"	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkhfek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nofoki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgnqacq.dll"	Oooaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ilmedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdaaqg32.dll"	Oheienli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghikqj32.dll"	Iabglnco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oohkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkidlkmq.dll"	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbneceac.dll"	Hqghqpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngihj32.dll"	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	f7267e80274fdfc2ace87f66074153b3d289aad7e9956e696e086c5ac36cf01e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iholohii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjkdkibk.dll"	Haidfpki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmannfj.dll"	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodipp32.dll"	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbpeafn.dll"	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcjldk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gjkbnfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hkmlnimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iabglnco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdnebc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pecpknke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbimjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoglp32.dll"	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggghajap.dll"	Gjkbnfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjekja32.dll"	Hepgkohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kchhih32.dll"	Mkepineo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oohkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Okolfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Igmoih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbpfi32.dll"	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkqol32.dll"	Jaemilci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Madbagif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pbddobla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ielfgmnj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1372	2452	f7267e80274fdfc2ace87f66074153b3d289aad7e9956e696e086c5ac36cf01e.exe	89
PID 2452 wrote to memory of 1372	2452	f7267e80274fdfc2ace87f66074153b3d289aad7e9956e696e086c5ac36cf01e.exe	89
PID 2452 wrote to memory of 1372	2452	f7267e80274fdfc2ace87f66074153b3d289aad7e9956e696e086c5ac36cf01e.exe	89
PID 1372 wrote to memory of 4036	1372	Gjkbnfha.exe	90
PID 1372 wrote to memory of 4036	1372	Gjkbnfha.exe	90
PID 1372 wrote to memory of 4036	1372	Gjkbnfha.exe	90
PID 4036 wrote to memory of 464	4036	Hepgkohh.exe	91
PID 4036 wrote to memory of 464	4036	Hepgkohh.exe	91
PID 4036 wrote to memory of 464	4036	Hepgkohh.exe	91
PID 464 wrote to memory of 3040	464	Hgocgjgk.exe	92
PID 464 wrote to memory of 3040	464	Hgocgjgk.exe	92
PID 464 wrote to memory of 3040	464	Hgocgjgk.exe	92
PID 3040 wrote to memory of 2476	3040	Hqghqpnl.exe	93
PID 3040 wrote to memory of 2476	3040	Hqghqpnl.exe	93
PID 3040 wrote to memory of 2476	3040	Hqghqpnl.exe	93
PID 2476 wrote to memory of 2392	2476	Hkmlnimb.exe	94
PID 2476 wrote to memory of 2392	2476	Hkmlnimb.exe	94
PID 2476 wrote to memory of 2392	2476	Hkmlnimb.exe	94
PID 2392 wrote to memory of 1528	2392	Haidfpki.exe	95
PID 2392 wrote to memory of 1528	2392	Haidfpki.exe	95
PID 2392 wrote to memory of 1528	2392	Haidfpki.exe	95
PID 1528 wrote to memory of 2408	1528	Hkohchko.exe	96
PID 1528 wrote to memory of 2408	1528	Hkohchko.exe	96
PID 1528 wrote to memory of 2408	1528	Hkohchko.exe	96
PID 2408 wrote to memory of 1924	2408	Ielfgmnj.exe	97
PID 2408 wrote to memory of 1924	2408	Ielfgmnj.exe	97
PID 2408 wrote to memory of 1924	2408	Ielfgmnj.exe	97
PID 1924 wrote to memory of 1920	1924	Ilfodgeg.exe	98
PID 1924 wrote to memory of 1920	1924	Ilfodgeg.exe	98
PID 1924 wrote to memory of 1920	1924	Ilfodgeg.exe	98
PID 1920 wrote to memory of 396	1920	Iabglnco.exe	99
PID 1920 wrote to memory of 396	1920	Iabglnco.exe	99
PID 1920 wrote to memory of 396	1920	Iabglnco.exe	99
PID 396 wrote to memory of 1284	396	Igmoih32.exe	100
PID 396 wrote to memory of 1284	396	Igmoih32.exe	100
PID 396 wrote to memory of 1284	396	Igmoih32.exe	100
PID 1284 wrote to memory of 3644	1284	Iaedanal.exe	101
PID 1284 wrote to memory of 3644	1284	Iaedanal.exe	101
PID 1284 wrote to memory of 3644	1284	Iaedanal.exe	101
PID 3644 wrote to memory of 1460	3644	Iholohii.exe	102
PID 3644 wrote to memory of 1460	3644	Iholohii.exe	102
PID 3644 wrote to memory of 1460	3644	Iholohii.exe	102
PID 1460 wrote to memory of 3596	1460	Ilmedf32.exe	103
PID 1460 wrote to memory of 3596	1460	Ilmedf32.exe	103
PID 1460 wrote to memory of 3596	1460	Ilmedf32.exe	103
PID 3596 wrote to memory of 3464	3596	Ijbbfc32.exe	104
PID 3596 wrote to memory of 3464	3596	Ijbbfc32.exe	104
PID 3596 wrote to memory of 3464	3596	Ijbbfc32.exe	104
PID 3464 wrote to memory of 3840	3464	Jdjfohjg.exe	105
PID 3464 wrote to memory of 3840	3464	Jdjfohjg.exe	105
PID 3464 wrote to memory of 3840	3464	Jdjfohjg.exe	105
PID 3840 wrote to memory of 808	3840	Jnpjlajn.exe	106
PID 3840 wrote to memory of 808	3840	Jnpjlajn.exe	106
PID 3840 wrote to memory of 808	3840	Jnpjlajn.exe	106
PID 808 wrote to memory of 4224	808	Jejbhk32.exe	107
PID 808 wrote to memory of 4224	808	Jejbhk32.exe	107
PID 808 wrote to memory of 4224	808	Jejbhk32.exe	107
PID 4224 wrote to memory of 812	4224	Jbncbpqd.exe	108
PID 4224 wrote to memory of 812	4224	Jbncbpqd.exe	108
PID 4224 wrote to memory of 812	4224	Jbncbpqd.exe	108
PID 812 wrote to memory of 4340	812	Jelonkph.exe	109
PID 812 wrote to memory of 4340	812	Jelonkph.exe	109
PID 812 wrote to memory of 4340	812	Jelonkph.exe	109
PID 4340 wrote to memory of 2740	4340	Jjihfbno.exe	110

C:\Users\Admin\AppData\Local\Temp\f7267e80274fdfc2ace87f66074153b3d289aad7e9956e696e086c5ac36cf01e.exe
"C:\Users\Admin\AppData\Local\Temp\f7267e80274fdfc2ace87f66074153b3d289aad7e9956e696e086c5ac36cf01e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\Gjkbnfha.exe
  C:\Windows\system32\Gjkbnfha.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\Hepgkohh.exe
    C:\Windows\system32\Hepgkohh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Windows\SysWOW64\Hgocgjgk.exe
      C:\Windows\system32\Hgocgjgk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:464
    - - C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\SysWOW64\Hkmlnimb.exe
        
        C:\Windows\system32\Hkmlnimb.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Haidfpki.exe
        
        C:\Windows\system32\Haidfpki.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Hkohchko.exe
        
        C:\Windows\system32\Hkohchko.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Ielfgmnj.exe
        
        C:\Windows\system32\Ielfgmnj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Ilfodgeg.exe
        
        C:\Windows\system32\Ilfodgeg.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Igmoih32.exe
        
        C:\Windows\system32\Igmoih32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Iaedanal.exe
        
        C:\Windows\system32\Iaedanal.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Iholohii.exe
        
        C:\Windows\system32\Iholohii.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Ilmedf32.exe
        
        C:\Windows\system32\Ilmedf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:428
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Lcjldk32.exe
        
        C:\Windows\system32\Lcjldk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Mkepineo.exe
        
        C:\Windows\system32\Mkepineo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2492
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        86⤵
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        87⤵
        
        PID:5744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3852,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=3956 /prefetch:8
1⤵
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeopfl32.exe

Filesize
96KB

MD5
bf81b440d511acb3418a3e3baf769257

SHA1
c2f074d704ab8cb4c05d14c1538c5e3acd328f1c

SHA256
bd6c375b786c14ae74703ca8520d1221d389bbd2da0731eb8755bbbaf6f953cd

SHA512
7fcf8b718f945608973e04543ccb9a9f54e0bbdb0ebf1e6d806f9b26fc47675dbdba3ef736d562a24eac49b2cb4285bd61e424de4b269c5007482c0e2811b07a

Download Submit
C:\Windows\SysWOW64\Dbneceac.dll

Filesize
7KB

MD5
79b03b027645cc480d6ba3a6314d1121

SHA1
8194b224bc5841c34cccd9f7ea7099d27d4d525e

SHA256
00a62dc0f98cfb46abfacefa1f7bdb50adebba40083e53aa78a19164cf655cb7

SHA512
173d96af0cee01278d3dacf49e89b5cc85626b8160e8cc1bad1d6cd90998da6aaebbb763568b5a2ec31b2ae6884e945f15623ac45f1b7bd9d890a73821672dcd

Download Submit
C:\Windows\SysWOW64\Gjkbnfha.exe

Filesize
96KB

MD5
5079b734ae5d9b812464ccd5bbfdf286

SHA1
68953ce3526d076f4a418545ba814eb4cc1015e4

SHA256
567b0e96b719d6e9d5ca94b5995b0f05e97591f7a1a8c23a2b835ccae74985a3

SHA512
fba90f9ef1fa97ec2f072cceee6019abfc7d84550fc176f4e170010e08205eb0b29c90df21047f99b90df81e2049050b992e26e57a9973746199252ecd276997

Download Submit
C:\Windows\SysWOW64\Haidfpki.exe

Filesize
96KB

MD5
55f15bbabc30b456e9f32a312178185e

SHA1
9addf6dcf9120b16d0c8bf6ee7d51a611e108407

SHA256
41df1c8783a3dafbb4a2c3e72db8a941b66c62064838f5651b95e7f5746e5308

SHA512
8b767ceb740ac21ded0374c18b8ef23627036adbaf6a2d9f6667087b10bc57a92f27c968c5ca62965d1c2273172506683fd8bc07ebb0d9f8e553694fd3b7e103

Download Submit
C:\Windows\SysWOW64\Hepgkohh.exe

Filesize
96KB

MD5
aa2e99e251fe5b3711b12d2b9ce3e444

SHA1
213f45dfc97f8f7cd517dae006712f03b68a1df6

SHA256
ac3c690b5bfdc1782e6321c087f3669a3a934c1dc55fcafeb0927823f8780fc4

SHA512
4c22e3de72b546869dd97962c8d6473a55e9cb87afc11dc8f6bb13c3e9160c0a10c819228361cc49dbb898d2ced79c985cfeef77d63ab0e4fcb70365cb885101

Download Submit
C:\Windows\SysWOW64\Hgocgjgk.exe

Filesize
96KB

MD5
2677ffb3267691a18a21e56991789214

SHA1
d4abfe194b8e4411ebc0345abeefefcdd8e6b435

SHA256
ce8d5310211ca3e13b82f62a0372f70afdc968a035d30eec5e50036ca35d444d

SHA512
855eca1268e7aa5c1640239bc9cb54b9f4cd1d637ad281e57d212a8180351fa501f52997a44de820fa20516b2e246a10112f7c21bf19e28485712e2e39b8b7fe

Download Submit
C:\Windows\SysWOW64\Hkmlnimb.exe

Filesize
96KB

MD5
e3090c6b690954c2b8977a1609955f53

SHA1
fa72b58fb79c07d02fa4ebfa0a14eec866209359

SHA256
0f6a04af4dd0f0de4ed470e6258df5df735bce7cf7802c37005d003119394382

SHA512
3b7f6e716e0ba000c2d9cabca0b4bdb890e192d153ee6d807dc8e10df4a783c23354cd710e0e23bf9747d4bf8486cc55be28bf9d3a6ddb0a69d35b9ce609f4e7

Download Submit
C:\Windows\SysWOW64\Hkohchko.exe

Filesize
96KB

MD5
4bb4aa7d42846c37953ae89ee78608a2

SHA1
95c245424713980dd54db18157c82200e195fb3b

SHA256
cf6b2480d9c46055a98253f01466be5d8e16a89763e311a4b05f1dc75b153210

SHA512
5aaddbc4c72a9e0c619b46054a91f5e16670d5fa7982cf02783f7a77704d31a3d8b38306abc44b64dff43aedbd26490b996f503000fbd333ff19fa56570deb44

Download Submit
C:\Windows\SysWOW64\Hqghqpnl.exe

Filesize
96KB

MD5
18d63495781677632f055af24ca12422

SHA1
336c52da9abea0b31159bff2be0fdd5573b9bbaf

SHA256
45bbf116abd50418eab98dc1d268b351ba4a3e2cedf1547a85db421d35b73694

SHA512
adf3238c6662816a82c449f5b80cfb3257dd95b270e844985ad07e3b88df5128824e3eac96a641c87bcf27dfdfc71ff46e9dbc021978aa309f44261392c8dad3

Download Submit
C:\Windows\SysWOW64\Iabglnco.exe

Filesize
96KB

MD5
948284ab05ea7be80d273e1da76877e1

SHA1
a3f8e0dbb6b8329a2705328d73a877fe7e3fda9c

SHA256
49393814cd9819f9d4776d06bb4e7eb73a2aacf17b40f9e2cd3d215b5aedf214

SHA512
f49e6dc6ad033531b4f92d3052250a04953b79e6b946fba89774f7e067109f97e76e35ddacf39a0ea01fec91011e9000fe99d5466ca4568a1ba480e25dc7ece8

Download Submit
C:\Windows\SysWOW64\Iaedanal.exe

Filesize
96KB

MD5
6b0320ccc1a91a06284c2661be6ce285

SHA1
878611d291732bba2f00a3c25cbb13ac493bd68b

SHA256
5354e493f6bf006bb4d104f93ad6829c6e2767ff4b71dbcd1b2c24cb625baf6d

SHA512
a3cc92c6b45eaac547aacb4f2844ec6ea2a2a4172ed72020d6b6223e67bae3c3be5c7afb40c1a089ed796300715047e5eea26569d6afdcd924f686cb88a571a7

Download Submit
C:\Windows\SysWOW64\Ielfgmnj.exe

Filesize
96KB

MD5
91e42cef2789806e1e3ad32ec65e948d

SHA1
de9dd8ec1c6bc6134e6acd7899269588d786af9a

SHA256
04b2c83111c3450c7ce5862ddc917d85340ba79dfb7649ca48fb9a8b5a639ad4

SHA512
e734207df7216baae468472f160f92b0c2ca622d95a256de54c2ad1d4e75e844b35d89a71674f47db3800188f7f4d3836f4e09e999e1f52da6bf718e2ded16b8

Download Submit
C:\Windows\SysWOW64\Igmoih32.exe

Filesize
96KB

MD5
0c5e2c3b15b60317e2f698fa3ccd2a4a

SHA1
f32c1dc8a2d9378919128caf578fdd2ceea201be

SHA256
a9a4a774fe4aaec71e7fec317f75419e88f5fe1886ec4cd535ef3bc8959c6c9a

SHA512
fa6cd72075b8fbaf3d22f6f733d73935f6184300d2be6ff2f401d490c62d53fb45b66a3a93eb4668277b308b2669d38f99e75c8081da60d9583cb982dba375db

Download Submit
C:\Windows\SysWOW64\Iholohii.exe

Filesize
96KB

MD5
0bbc5dbea6786797d23691131978b340

SHA1
83710595485537619f43508d5fe5b726906abf32

SHA256
e069679c5f8562ab3b059c9ae2610b5ca09ac6a0783d539ed7325e2c8613b7a7

SHA512
512b0633ea7c249d13ec3a05dcdc481b115baeaa58990058893617a8fc18cc3588940423b56173e60d2267f614e79f10ad2039dbf6c520117a7fb8cc24bf4db1

Download Submit
C:\Windows\SysWOW64\Ijbbfc32.exe

Filesize
96KB

MD5
e70fd6ac9a6b82ab83e4354629f85fb9

SHA1
e9fffac4001f3fb2f84db9cf55ffb459675031e0

SHA256
0104755c30b4b480fabbc3d2ce005df6fc0c5b6f577644069a6814c07d9b3e79

SHA512
fba64e0946d29ba83c176bf762501fef204585fb3ce74fdccac9f54da7f9ccf8c7b44708e109d9cd63e7b2cbe4ce35e65db7b4da0e59ab3b7ef9485a66693c0f

Download Submit
C:\Windows\SysWOW64\Ilfodgeg.exe

Filesize
96KB

MD5
ad64121b3208171cb02721fd7684281a

SHA1
1fcb5bc8169b79836477fdbb2a72a40b5dc3e429

SHA256
8ecd5f5102274d8cad48252be655b79f4bad11f3e692469805fddf562715bdee

SHA512
38a97c86778edfef461446d482b8d259686504e3fd9478c8e4ba28d9f897890ec380bea968439f7e165902f11350476b4c713d5000b7da3dd7dbbb196a392db4

Download Submit
C:\Windows\SysWOW64\Ilmedf32.exe

Filesize
96KB

MD5
98fa6a60dd87aba728bfa1fc05f323a7

SHA1
bdc4344b6c5de5ee6997b379d6f7fe049a791799

SHA256
25518c3aa0c8713f01d13f90391d8bb12c0e370d7a5c1fb0f1ab71827ceeb369

SHA512
11cf62cf981a98e07159b4a224288f02f1772489a18f928324843706c4be5618ca531725a36a96716ca9b61fca71e83c6a31558caf508ffb56bb56869929e5ea

Download Submit
C:\Windows\SysWOW64\Jaemilci.exe

Filesize
96KB

MD5
5612a1b882c44589f041731641b8caf9

SHA1
3caf6363fd74b9d36b07233f3e0a1fc1de88f0e6

SHA256
82c67824912758fbbeb665486391daa154b68c7889cc46090379e4f13f292c2e

SHA512
3568b2620d315cbbfe2f44cc9c9b079df25fe055ce66cf74025d08c6296a27d8fded5ece9808353a73fb1a516841e88d23e8381cc4b6b351ec23e7c991ec49f4

Download Submit
C:\Windows\SysWOW64\Jbncbpqd.exe

Filesize
96KB

MD5
16d6fdd5290ff382c9664b4998eae86b

SHA1
36379597a0de67fe7ecca4d5695f71c85eabfde8

SHA256
9486cfd717adce6da87b9b05ab108d3297f7a3cc7a5752ebb4a1bd0f369b0b41

SHA512
a3bca26e290bfb80d1dc52292570c4625a985687892ccf0d147597564c89b422756973ad1dac4ed0e4deae216b61201e6ae109404bc333b773d65b55f2454042

Download Submit
C:\Windows\SysWOW64\Jdjfohjg.exe

Filesize
96KB

MD5
94441aa2400b00f97343eee17bbb548e

SHA1
698d318dfe553b92ca7c44e1bfa31cc585d42e53

SHA256
4407f103c7ba9c67d677118533e739095b9b5b8804afb38b992e6fa08b027db6

SHA512
56665e78e44f96f8a8b9b29544cdd2b2f544fe197c2f847cf9a790e24777d6c913c7425e26adef4a041e9c26d437b63a7927f49bd0ff6473da0824b5973b4a18

Download Submit
C:\Windows\SysWOW64\Jejbhk32.exe

Filesize
96KB

MD5
ba6f21322a3fa8779cd6ecaff5afda46

SHA1
5f213c905d15f4db44d199bacd9c11fcc8e8eb94

SHA256
4913ea700ae39e1ed27c684970f54034c67786ba6a3a5c26cde13d8504ed20e6

SHA512
3941c537d51bc75c5e99f35b89b394f4726385a478b175a33493b07e83926e428699b884fa3ac51d7afc226b098e84ef759921752016a2829affa968900f779a

Download Submit
C:\Windows\SysWOW64\Jelonkph.exe

Filesize
96KB

MD5
398d7be837f500e7f1ffdd007f085afc

SHA1
67c624775774a198f0f411e6fa71ec201da2cdd8

SHA256
d27ff2aaaae2b2086247fee56dbb71658ae65a1051a951d8d9f3597fc07b683e

SHA512
c67f028db3f231a3c9a21a18607e2828cb14d21bacfe1d92f257a64a763846beca3c5219e282ddc8929586c484edc3f4e4a48f5d20968b9c311db1c441bbed3b

Download Submit
C:\Windows\SysWOW64\Jeolckne.exe

Filesize
96KB

MD5
2776fda471a888f373bcb47d68eeb419

SHA1
4842ffad89d576bc4e542c1e41eb8606c6f4326b

SHA256
ae1548cc53b6629a8014975cdf28eb7445df8b4eb51b2a9767e6c194ff5467cd

SHA512
8a09eddacfffc389120a6f31e0e227db45084689a48fc9970097e8eb0a6bc0783533d5615489c2e5af3be15184e889ffb227e2bbef60c83a0682145bb89ee95a

Download Submit
C:\Windows\SysWOW64\Jjihfbno.exe

Filesize
96KB

MD5
2c82291543931486df8c573949aec016

SHA1
6ce32b7c62d42df827fe76d59d36ebd152f2e885

SHA256
6cf63746d2b03e1635414d1d538898468e581193cdeb0d972c52a95ef8ac59f4

SHA512
ff295279346f0acc3b63c18c2b40da0e12d370e6e3ca1a38ec977b29dab0f9fa997a9a9e3828cd6f31c05aed30edb22bf94d11089f0cabf100f00d8148c17947

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
96KB

MD5
32fcc3481da940bc90bda744416441db

SHA1
3407c40e98c8e1eac0e45edb510a9d4be7c061e0

SHA256
be4ae3bab3f5e56280f9c8ce63ba58b1aa74f276c5185d4cc443fe62d6e0b8e1

SHA512
eb77d3d6686b7b07f44c19fbdf323be3b2b0af4943d56d13891754460d921a5c3e2905eb35f948b6df2839776406460a5925249b51f38d6ef4428f9de65bc02d

Download Submit
C:\Windows\SysWOW64\Jnpjlajn.exe

Filesize
96KB

MD5
39fe5e3764cb2344da3a6409c3ffa8f6

SHA1
73e80484884d1ef484c30b375a75d67e0ba73ea0

SHA256
322deabec67ec664aae194330cfd1750f8855c0f858b0602389f04cbd744fa3d

SHA512
3c9036b9861772d8459b6cc5b8c0ebca69a9e9ae08ad2abc166c34130851ebb8a9ab50e27cd1b96aaebd1f043ae0466354e9a6c1d9125df74abebf384e676b41

Download Submit
C:\Windows\SysWOW64\Kalcik32.exe

Filesize
96KB

MD5
86e2fb62d90f6eae05c82884441147be

SHA1
c576baaf3293eb515165af1665288d44bdaa8b3b

SHA256
64436af572f833458ded3cc16f6f86e4a67a21e4b9d39583db0d6b8909c9cd6c

SHA512
4d1756ec205f7a4c2d6496f8aa131befcb80989806b3362cdcffd50ae18135797244d9f27e5ae730bf4ca767cb5b17c86f5fd1bf54007964897c7b3cef08c0d2

Download Submit
C:\Windows\SysWOW64\Kkgdhp32.exe

Filesize
96KB

MD5
12e4202b06017c161c5f6ea0960f6028

SHA1
2e822bca30947de8d7cbcc7c831983e0b240bf77

SHA256
003e436962b79dd2915ceecca3aef0f15902817ac92b83b2c5c23e957278d87d

SHA512
20a0ba626b25f0157f10a62b2ed6af3c487b4e306abe91f714b981ee0d23d0907b41f2802e949779dee2cb663cb18a4089e24629f7031e936c754d8ad4c648ff

Download Submit
C:\Windows\SysWOW64\Klpjad32.exe

Filesize
96KB

MD5
561158131e6b184b5d5a679afb4a3d49

SHA1
57ec0f9c03f63897511b29c14e14d8f0e8b8d68e

SHA256
0ff7b731462a8659607d47f307cd9bd8fc951875a58f1aaa41c0c6c049079bd9

SHA512
4a3c668e0c8d6d3230460c687480eeb29c1a73be0b244f7a3aee1403d68793abb58f3dac20c19ec47e61a0575064398beeb07e4e92e3e8da58e1c2d9604b3827

Download Submit
C:\Windows\SysWOW64\Koimbpbc.exe

Filesize
96KB

MD5
d4ac0af183240282d0b0457105127cef

SHA1
3f43bc9e7ff3d237da1d084542c0b268fecfbdfd

SHA256
ab3dc432bbe0e38127af5db40db4a5884aadcdce72e3c2d86ea3ae319d0de29c

SHA512
ef57be1ff722bb07d1df882ea8b43c5703f56e45e606118fdf0ff33d9eb6a8f314f7b6221c398d8799d7a803bc6a8cda08b232bdc0a6733adae2e2126ac392d5

Download Submit
C:\Windows\SysWOW64\Koljgppp.exe

Filesize
96KB

MD5
0e0374f1a0fef65dd739bcfd9fa42507

SHA1
69c1a44a09d0d353d0362af584630a1bd7de5f30

SHA256
258ce8c5594cad5a979a5f207fa25a92aa5c090e6c929922c859c7dcb232e943

SHA512
f399e87cfc35ddd3d986d80be9dddc243f6b32e208dc9a3741ad95fdce20ac2ecc068c226d2c47cb33e6a18fbfac4a9a26ea484c046d45c5dd7d3b7e22761cdb

Download Submit
C:\Windows\SysWOW64\Lcjldk32.exe

Filesize
96KB

MD5
3d464f1957fc5ca41edbc3ca5bcb137a

SHA1
0e2dc4c0c5374f1e6d92bd22529700d856a340ff

SHA256
8c0a48158665aa4d244b9122e23c3be3787ad0c49844d20ebd85be8d90f96f25

SHA512
6e0f13afc79837da2da0e53371f0759422a94256e1ade9412b71607a830c9a188b53906f31247cddca1e045e1742d10094cc40b60bcdc270e7460bdee3fc2a4d

Download Submit
C:\Windows\SysWOW64\Leabphmp.exe

Filesize
96KB

MD5
68484809daa57184f7213f6fa6c733a5

SHA1
d488bbbf89c5487f4e77be7e46fa85dcb8454db1

SHA256
81aab770302ca677250f4c1fb701d2bb49f79b9e2c89f06aa8a5adf4e90286f4

SHA512
b4aae3d3500c04c193acc5e8f14b0bed31ed973cebcb549dc119cee34711a7ec5e7cd0445ee2f60485fb2e9a9770ed82389f8f7d2c774d24841bc966d0d03b07

Download Submit
C:\Windows\SysWOW64\Lklnconj.exe

Filesize
96KB

MD5
2d792adf815f88c115eff8c2a8668470

SHA1
be20349d8e0ba0e063fa93877bcd7384794da1be

SHA256
90103f6ba7984dd1bcde8f2b54743bd68f886e659e86a04c64dfa2825a83b5dd

SHA512
e8e3162dd5efab0c0d62d5917953de806327a28e66f0990907c6b7b91b7ffd05e6ffecb958af6f2974697b8a63e19ea0bf6c769f4cfd90e3313922b511d9e48b

Download Submit
C:\Windows\SysWOW64\Loemnnhe.exe

Filesize
96KB

MD5
42f2cae31c422a36be441fadcce5fead

SHA1
9181944a9b157e84828a6d29cec780ddf5a86c2f

SHA256
fc6a68280d6f4a91aa1c696bd3b82811117beffbf8da97c2c0ceba3bb2e4e468

SHA512
f0b23338f721af63474b8d6e3d4d81d1669dce344ffc549b90b5a996fc321a4ea18a43a63ef77b936796fa8ffdd84d69c8600700b3689c2d5bfed2e2d7940770

Download Submit
C:\Windows\SysWOW64\Madbagif.exe

Filesize
96KB

MD5
60d2d75e44da08984c6db66174419ed8

SHA1
a36a0dc70479310b18b7315abb587deaae31d55b

SHA256
4bb90002b0d2a256c88e40c316af14a896d4a23345d501c53260e65323b90411

SHA512
d44c99f227ed3213d0e7ef50c8aab94fcd32c588a6942fc7d3e3a26cdf643cfc1d83f0674e6f88c9bc1014e08fa43fd5234b97b14231f43820f2979ded17984c

Download Submit
C:\Windows\SysWOW64\Nakhaf32.exe

Filesize
96KB

MD5
4a9707779a5774938e26bf8a7a7ec8e5

SHA1
acc334f38327472d26097abb351b4dc17cadb6f7

SHA256
d77b4b7590df3fd23add3e76ca9c1ddd641fb099db97aa57d191b4ba64ebefdb

SHA512
504c8c60ec5cb272cdf8cd0513c6155d318618b52df4b16c0859a7912e065716b2a5f65c14b9035772be8eb11f585f1582557fb93276a3db57125fbc6b050632

Download Submit
C:\Windows\SysWOW64\Nkhfek32.exe

Filesize
96KB

MD5
9ca727b516528ef61967667123674c1e

SHA1
24e4a5e4033867b6f5cbad02951fe0c64f3a09c6

SHA256
849a5c410aae6cc8cf91a456e6e7a8fbe8bfa939023c9e1762549022f31f13ce

SHA512
24d514966ed14fc9cd2a1cefb486509941df73573634e19d2f535338981f1d4886a2c7e1f0ef5549474a391a2a491c51132859f28017d55053db8625a758f9a7

Download Submit
C:\Windows\SysWOW64\Odedipge.exe

Filesize
96KB

MD5
c765d374040bf28cfe2d4be02e374cce

SHA1
ffb63e59958bab8b834f93f2f7b41885526f0c4d

SHA256
b9c4b2e4ee313dc7a328afb183127da2013e1a0c93284a019e1c45787f8f2c21

SHA512
81dd4556db69f26f4bbbd348fe16cca5d1897bb41e9ae357501653c9febc13c0da501fbf3f84ab6fa90814bc16adc30485ce69dd0133c6d1b55bbbf44a1377f2

Download Submit
C:\Windows\SysWOW64\Okolfj32.exe

Filesize
96KB

MD5
78150aaa64cdf60f8542a21f60b95b61

SHA1
e947113abde8a455e21f5fdd10e482075a6005e2

SHA256
50851ec3b322758e9e8caee7bd84d71208fe9486545ebd80c5c5a1085b03b5fd

SHA512
cc05bae26eb09189c388f9d3d8287fafe488a9360b7527b94806b569187176e74981bf6907d3ebf5f2defe8683d95a4fb436529d72ea6870b4b12021501e2c18

Download Submit
C:\Windows\SysWOW64\Pdqcenmg.exe

Filesize
96KB

MD5
8d86334d52623f30fc7caab79456a873

SHA1
188de5f599ac6306e5b6a53bbd1d958bdf22087b

SHA256
63e4be377b60af3adcfb9ff547b9cd2aecc45d18a4e5bba61725e5b2c07381dd

SHA512
ef0b7e7c8784ea932abf3021f8ad380b706aee245905b86a28dfa6e6259669bb564de722e6056eabbfdd58318e7fdb8ff6d17f3aecca94417e8709141d2f1bae

Download Submit
C:\Windows\SysWOW64\Qckfid32.exe

Filesize
96KB

MD5
f8124f9f68c0b26082b2647e1d06019c

SHA1
8d44df0e73d184df4a157cfe0575b221a1719f80

SHA256
650eca97afad076108a167e3bbe1f22925bec8f96f6ae4b5d25ea8bb41a7bda5

SHA512
12cbfa27b2287fae172d8eaeb7c764d9f779c2202263cddee1e67fe739bc9dfa41c88ff2c6243bc937de20e128b6f0e4c971ec2d3633d4ce0bfc4ae004f96a64

Download Submit
memory/372-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/372-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/428-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/428-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/464-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/464-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/808-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/808-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/812-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/872-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/872-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1332-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1332-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1372-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1372-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1460-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1460-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1528-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1528-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1712-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1712-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1740-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1740-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1840-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1840-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1868-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1868-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-174-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1936-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2096-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2096-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2364-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2452-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2452-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3040-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3040-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3464-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3464-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3508-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3596-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3596-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3644-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3644-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3840-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3840-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4028-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4056-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4056-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4128-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4128-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4212-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4340-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4340-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4756-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4972-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4972-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5096-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5096-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads