f00529b5976abcf6f1e72522b4bf3e897440b16bc801b3a6afae081c51a33b45

Analysis

max time kernel
126s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f00529b5976abcf6f1e72522b4bf3e897440b16bc801b3a6afae081c51a33b45.exe
Size

1.2MB
MD5

43a944704f3ac8ad803783090fd4494c
SHA1

3ec6c2c0d1fb49b3c19e6f49eb378c7db56330f3
SHA256

f00529b5976abcf6f1e72522b4bf3e897440b16bc801b3a6afae081c51a33b45
SHA512

17b4e09daa928fb06b5052a884ba471666109f9536a647971becebac08dd0b6765fb7a61ca2977a259c2dfe0478a564b7dc15636087d10cd2d4bc6328f38e5a3
SSDEEP

24576:uSRgu5YyCtCCm0BKh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YR:uSRgu5RCtCXbazR0vk

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mafofggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iccpniqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lefkkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepineo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmoncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjdedepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjdokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdmlkfjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkocol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iapjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeolckne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lahbei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhhodg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nomlek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piceflpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jejbhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeaiij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oohkai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odedipge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlefjnno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhoeef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhhodg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medglemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbnbemf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iagqgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Indkpcdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mclhjkfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mekdffee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilfodgeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oohkai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jejbhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjdki32.exe

Executes dropped EXE 64 IoCs

pid	Process
2152	Hcjmhk32.exe
4416	Hjdedepg.exe
2992	Hghfnioq.exe
2100	Hnbnjc32.exe
4668	Iapjgo32.exe
2304	Icogcjde.exe
2524	Ilfodgeg.exe
4728	Indkpcdk.exe
3932	Ibpgqa32.exe
2128	Icachjbb.exe
816	Ilhkigcd.exe
4384	Ijkled32.exe
1016	Ibbcfa32.exe
4460	Ieqpbm32.exe
4868	Iccpniqp.exe
2096	Ilkhog32.exe
2792	Inidkb32.exe
3036	Iagqgn32.exe
4028	Icfmci32.exe
4216	Ijpepcfj.exe
384	Iajmmm32.exe
4148	Idhiii32.exe
4888	Ijbbfc32.exe
1416	Jdjfohjg.exe
3556	Jjdokb32.exe
4204	Jblflp32.exe
4904	Jejbhk32.exe
1104	Jhhodg32.exe
4844	Jnbgaa32.exe
3948	Jelonkph.exe
1036	Jhkljfok.exe
452	Jnedgq32.exe
1168	Jeolckne.exe
552	Jhmhpfmi.exe
4756	Jjkdlall.exe
4380	Jbbmmo32.exe
676	Jeaiij32.exe
3168	Jhoeef32.exe
2596	Jjnaaa32.exe
3088	Kbeibo32.exe
4996	Kdffjgpj.exe
4892	Kkpnga32.exe
376	Kdhbpf32.exe
720	Kongmo32.exe
1804	Kdkoef32.exe
5128	Klbgfc32.exe
5168	Kopcbo32.exe
5208	Kaopoj32.exe
5248	Kdmlkfjb.exe
5288	Klddlckd.exe
5328	Kocphojh.exe
5368	Kaaldjil.exe
5408	Kdpiqehp.exe
5448	Klgqabib.exe
5488	Loemnnhe.exe
5528	Lacijjgi.exe
5568	Ldbefe32.exe
5608	Llimgb32.exe
5648	Logicn32.exe
5688	Laffpi32.exe
5728	Lddble32.exe
5768	Llkjmb32.exe
5808	Lojfin32.exe
5848	Lahbei32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jnbgaa32.exe	Jhhodg32.exe
File opened for modification	C:\Windows\SysWOW64\Lddble32.exe	Laffpi32.exe
File opened for modification	C:\Windows\SysWOW64\Ldfoad32.exe	Lahbei32.exe
File created	C:\Windows\SysWOW64\Mkbdql32.dll	Ocknbglo.exe
File created	C:\Windows\SysWOW64\Bbndhppc.dll	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Opepqban.dll	Qcncodki.exe
File created	C:\Windows\SysWOW64\Ibpgqa32.exe	Indkpcdk.exe
File created	C:\Windows\SysWOW64\Ieqpbm32.exe	Ibbcfa32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpagc32.exe	Maaekg32.exe
File created	C:\Windows\SysWOW64\Pdngpo32.exe	Ocmjhfjl.exe
File opened for modification	C:\Windows\SysWOW64\Pcijce32.exe	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Ilhkigcd.exe	Icachjbb.exe
File created	C:\Windows\SysWOW64\Kefjdppe.dll	Mohbjkgp.exe
File created	C:\Windows\SysWOW64\Eobdnbdn.dll	Okfbgiij.exe
File opened for modification	C:\Windows\SysWOW64\Poidhg32.exe	Pmjhlklg.exe
File opened for modification	C:\Windows\SysWOW64\Lhdggb32.exe	Lefkkg32.exe
File created	C:\Windows\SysWOW64\Ncjdki32.exe	Nkcmjlio.exe
File opened for modification	C:\Windows\SysWOW64\Nfpghccm.exe	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Qkfkng32.exe	Qihoak32.exe
File created	C:\Windows\SysWOW64\Gccebdmn.dll	Icogcjde.exe
File created	C:\Windows\SysWOW64\Kdffjgpj.exe	Kbeibo32.exe
File created	C:\Windows\SysWOW64\Ofnfbijk.dll	Kdmlkfjb.exe
File opened for modification	C:\Windows\SysWOW64\Kocphojh.exe	Klddlckd.exe
File opened for modification	C:\Windows\SysWOW64\Jelonkph.exe	Jnbgaa32.exe
File created	C:\Windows\SysWOW64\Ndebln32.dll	Mcabej32.exe
File created	C:\Windows\SysWOW64\Abcppq32.exe	Apddce32.exe
File opened for modification	C:\Windows\SysWOW64\Jejbhk32.exe	Jblflp32.exe
File created	C:\Windows\SysWOW64\Nkcmjlio.exe	Nheqnpjk.exe
File created	C:\Windows\SysWOW64\Hkidlkmq.dll	Ohhfknjf.exe
File created	C:\Windows\SysWOW64\Gpejnp32.dll	Jjkdlall.exe
File created	C:\Windows\SysWOW64\Medglemj.exe	Mcfkpjng.exe
File created	C:\Windows\SysWOW64\Kmjaeema.dll	Obidcdfo.exe
File created	C:\Windows\SysWOW64\Jjfaml32.dll	Mekdffee.exe
File created	C:\Windows\SysWOW64\Lgilmo32.dll	Akihcfid.exe
File opened for modification	C:\Windows\SysWOW64\Icachjbb.exe	Ibpgqa32.exe
File created	C:\Windows\SysWOW64\Akihcfid.exe	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Icogcjde.exe	Iapjgo32.exe
File opened for modification	C:\Windows\SysWOW64\Ollljmhg.exe	Odedipge.exe
File created	C:\Windows\SysWOW64\Mqkbjk32.dll	Aijlgkjq.exe
File opened for modification	C:\Windows\SysWOW64\Ilkhog32.exe	Iccpniqp.exe
File created	C:\Windows\SysWOW64\Llimgb32.exe	Ldbefe32.exe
File created	C:\Windows\SysWOW64\Gpdkpe32.dll	Lhgdmb32.exe
File opened for modification	C:\Windows\SysWOW64\Qihoak32.exe	Qfjcep32.exe
File created	C:\Windows\SysWOW64\Kopcbo32.exe	Klbgfc32.exe
File opened for modification	C:\Windows\SysWOW64\Kdpiqehp.exe	Kaaldjil.exe
File created	C:\Windows\SysWOW64\Mekdffee.exe	Mclhjkfa.exe
File created	C:\Windows\SysWOW64\Nbdenofm.dll	Nkjckkcg.exe
File opened for modification	C:\Windows\SysWOW64\Akihcfid.exe	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Ohcmpn32.exe	Obidcdfo.exe
File created	C:\Windows\SysWOW64\Kannaq32.dll	Pkoemhao.exe
File created	C:\Windows\SysWOW64\Mdpagc32.exe	Maaekg32.exe
File opened for modification	C:\Windows\SysWOW64\Ookhfigk.exe	Ollljmhg.exe
File opened for modification	C:\Windows\SysWOW64\Jblflp32.exe	Jjdokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mclhjkfa.exe	Mkepineo.exe
File opened for modification	C:\Windows\SysWOW64\Maaekg32.exe	Mkgmoncl.exe
File created	C:\Windows\SysWOW64\Qckfid32.exe	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Jooeqo32.dll	Ibpgqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nhbciqln.exe	Medglemj.exe
File created	C:\Windows\SysWOW64\Kpdejagg.dll	Nheqnpjk.exe
File opened for modification	C:\Windows\SysWOW64\Pdqcenmg.exe	Pbbgicnd.exe
File created	C:\Windows\SysWOW64\Cogcho32.dll	Pecpknke.exe
File created	C:\Windows\SysWOW64\Haafdi32.dll	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Aealll32.exe
File opened for modification	C:\Windows\SysWOW64\Hnbnjc32.exe	Hghfnioq.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhmhpfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndlacapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oljoen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okailj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhoeef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mclhjkfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcidopb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nocbfjmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcmpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblflp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijpepcfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdhbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcjldk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlgjhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfknmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeolckne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhiabbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfkpjng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qifbll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgdmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkcmjlio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noaeqjpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookhfigk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahbei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Indkpcdk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inidkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjkdlall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjckkcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbmdabh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlifnphl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icachjbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdmlkfjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocknbglo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjdedepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibbcfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbnbemf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofhbgmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnbnjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piaiqlak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkdohg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdffjgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdpagc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nheqnpjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheienli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhfknjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icogcjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iajmmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhkflnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mekdffee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmeoqlpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podkmgop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjcep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icfmci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llimgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mepnaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obfhmd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkakncg.dll"	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfpghccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celipg32.dll"	Iapjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibpgqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnbnjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pofhbgmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbbnbemf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghekd32.dll"	Llkjmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mepnaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbndhppc.dll"	Pdngpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klddlckd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maaekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcgjl32.dll"	Apddce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iajmmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Encnaa32.dll"	Maaekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkheoa32.dll"	Mlgjhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Noaeqjpe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpaoopf.dll"	Indkpcdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnhl32.dll"	Ijkled32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mclhjkfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Indkpcdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncjdki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfknmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaflkim.dll"	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfgke32.dll"	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbdpdane.dll"	Lcjldk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcjldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfjcep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akihcfid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpchag32.dll"	Ijpepcfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbooabbb.dll"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmqbkkce.dll"	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfioldni.dll"	Mepnaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjckkcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcjmhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oapijm32.dll"	Iccpniqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdjfohjg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2152	2060	f00529b5976abcf6f1e72522b4bf3e897440b16bc801b3a6afae081c51a33b45.exe	89
PID 2060 wrote to memory of 2152	2060	f00529b5976abcf6f1e72522b4bf3e897440b16bc801b3a6afae081c51a33b45.exe	89
PID 2060 wrote to memory of 2152	2060	f00529b5976abcf6f1e72522b4bf3e897440b16bc801b3a6afae081c51a33b45.exe	89
PID 2152 wrote to memory of 4416	2152	Hcjmhk32.exe	90
PID 2152 wrote to memory of 4416	2152	Hcjmhk32.exe	90
PID 2152 wrote to memory of 4416	2152	Hcjmhk32.exe	90
PID 4416 wrote to memory of 2992	4416	Hjdedepg.exe	91
PID 4416 wrote to memory of 2992	4416	Hjdedepg.exe	91
PID 4416 wrote to memory of 2992	4416	Hjdedepg.exe	91
PID 2992 wrote to memory of 2100	2992	Hghfnioq.exe	92
PID 2992 wrote to memory of 2100	2992	Hghfnioq.exe	92
PID 2992 wrote to memory of 2100	2992	Hghfnioq.exe	92
PID 2100 wrote to memory of 4668	2100	Hnbnjc32.exe	93
PID 2100 wrote to memory of 4668	2100	Hnbnjc32.exe	93
PID 2100 wrote to memory of 4668	2100	Hnbnjc32.exe	93
PID 4668 wrote to memory of 2304	4668	Iapjgo32.exe	94
PID 4668 wrote to memory of 2304	4668	Iapjgo32.exe	94
PID 4668 wrote to memory of 2304	4668	Iapjgo32.exe	94
PID 2304 wrote to memory of 2524	2304	Icogcjde.exe	95
PID 2304 wrote to memory of 2524	2304	Icogcjde.exe	95
PID 2304 wrote to memory of 2524	2304	Icogcjde.exe	95
PID 2524 wrote to memory of 4728	2524	Ilfodgeg.exe	96
PID 2524 wrote to memory of 4728	2524	Ilfodgeg.exe	96
PID 2524 wrote to memory of 4728	2524	Ilfodgeg.exe	96
PID 4728 wrote to memory of 3932	4728	Indkpcdk.exe	97
PID 4728 wrote to memory of 3932	4728	Indkpcdk.exe	97
PID 4728 wrote to memory of 3932	4728	Indkpcdk.exe	97
PID 3932 wrote to memory of 2128	3932	Ibpgqa32.exe	98
PID 3932 wrote to memory of 2128	3932	Ibpgqa32.exe	98
PID 3932 wrote to memory of 2128	3932	Ibpgqa32.exe	98
PID 2128 wrote to memory of 816	2128	Icachjbb.exe	99
PID 2128 wrote to memory of 816	2128	Icachjbb.exe	99
PID 2128 wrote to memory of 816	2128	Icachjbb.exe	99
PID 816 wrote to memory of 4384	816	Ilhkigcd.exe	100
PID 816 wrote to memory of 4384	816	Ilhkigcd.exe	100
PID 816 wrote to memory of 4384	816	Ilhkigcd.exe	100
PID 4384 wrote to memory of 1016	4384	Ijkled32.exe	101
PID 4384 wrote to memory of 1016	4384	Ijkled32.exe	101
PID 4384 wrote to memory of 1016	4384	Ijkled32.exe	101
PID 1016 wrote to memory of 4460	1016	Ibbcfa32.exe	102
PID 1016 wrote to memory of 4460	1016	Ibbcfa32.exe	102
PID 1016 wrote to memory of 4460	1016	Ibbcfa32.exe	102
PID 4460 wrote to memory of 4868	4460	Ieqpbm32.exe	103
PID 4460 wrote to memory of 4868	4460	Ieqpbm32.exe	103
PID 4460 wrote to memory of 4868	4460	Ieqpbm32.exe	103
PID 4868 wrote to memory of 2096	4868	Iccpniqp.exe	104
PID 4868 wrote to memory of 2096	4868	Iccpniqp.exe	104
PID 4868 wrote to memory of 2096	4868	Iccpniqp.exe	104
PID 2096 wrote to memory of 2792	2096	Ilkhog32.exe	105
PID 2096 wrote to memory of 2792	2096	Ilkhog32.exe	105
PID 2096 wrote to memory of 2792	2096	Ilkhog32.exe	105
PID 2792 wrote to memory of 3036	2792	Inidkb32.exe	106
PID 2792 wrote to memory of 3036	2792	Inidkb32.exe	106
PID 2792 wrote to memory of 3036	2792	Inidkb32.exe	106
PID 3036 wrote to memory of 4028	3036	Iagqgn32.exe	107
PID 3036 wrote to memory of 4028	3036	Iagqgn32.exe	107
PID 3036 wrote to memory of 4028	3036	Iagqgn32.exe	107
PID 4028 wrote to memory of 4216	4028	Icfmci32.exe	108
PID 4028 wrote to memory of 4216	4028	Icfmci32.exe	108
PID 4028 wrote to memory of 4216	4028	Icfmci32.exe	108
PID 4216 wrote to memory of 384	4216	Ijpepcfj.exe	109
PID 4216 wrote to memory of 384	4216	Ijpepcfj.exe	109
PID 4216 wrote to memory of 384	4216	Ijpepcfj.exe	109
PID 384 wrote to memory of 4148	384	Iajmmm32.exe	110

C:\Users\Admin\AppData\Local\Temp\f00529b5976abcf6f1e72522b4bf3e897440b16bc801b3a6afae081c51a33b45.exe
"C:\Users\Admin\AppData\Local\Temp\f00529b5976abcf6f1e72522b4bf3e897440b16bc801b3a6afae081c51a33b45.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\Hcjmhk32.exe
  C:\Windows\system32\Hcjmhk32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\Hjdedepg.exe
    C:\Windows\system32\Hjdedepg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Windows\SysWOW64\Hghfnioq.exe
      C:\Windows\system32\Hghfnioq.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Windows\SysWOW64\Hnbnjc32.exe
        
        C:\Windows\system32\Hnbnjc32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
      - C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Icogcjde.exe
        
        C:\Windows\system32\Icogcjde.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Ilfodgeg.exe
        
        C:\Windows\system32\Ilfodgeg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Indkpcdk.exe
        
        C:\Windows\system32\Indkpcdk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Ibpgqa32.exe
        
        C:\Windows\system32\Ibpgqa32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Ilhkigcd.exe
        
        C:\Windows\system32\Ilhkigcd.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Ijkled32.exe
        
        C:\Windows\system32\Ijkled32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Ibbcfa32.exe
        
        C:\Windows\system32\Ibbcfa32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Iccpniqp.exe
        
        C:\Windows\system32\Iccpniqp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Icfmci32.exe
        
        C:\Windows\system32\Icfmci32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4148
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Jjdokb32.exe
        
        C:\Windows\system32\Jjdokb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1104
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        32⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Jbbmmo32.exe
        
        C:\Windows\system32\Jbbmmo32.exe
        37⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:676
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        40⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        45⤵
        Executes dropped EXE
        
        PID:720
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        46⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        48⤵
        Executes dropped EXE
        
        PID:5168
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        52⤵
        Executes dropped EXE
        
        PID:5328
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        54⤵
        Executes dropped EXE
        
        PID:5408
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        55⤵
        Executes dropped EXE
        
        PID:5448
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        56⤵
        Executes dropped EXE
        
        PID:5488
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5528
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5648
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        62⤵
        Executes dropped EXE
        
        PID:5728
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        64⤵
        Executes dropped EXE
        
        PID:5808
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        66⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        68⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Lefkkg32.exe
        
        C:\Windows\system32\Lefkkg32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Lhdggb32.exe
        
        C:\Windows\system32\Lhdggb32.exe
        70⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Lkcccn32.exe
        
        C:\Windows\system32\Lkcccn32.exe
        71⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Lcjldk32.exe
        
        C:\Windows\system32\Lcjldk32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Lehhqg32.exe
        
        C:\Windows\system32\Lehhqg32.exe
        73⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\Lhgdmb32.exe
        
        C:\Windows\system32\Lhgdmb32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\Mkepineo.exe
        
        C:\Windows\system32\Mkepineo.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2512
        
        C:\Windows\SysWOW64\Mclhjkfa.exe
        
        C:\Windows\system32\Mclhjkfa.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Mekdffee.exe
        
        C:\Windows\system32\Mekdffee.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Mhiabbdi.exe
        
        C:\Windows\system32\Mhiabbdi.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Mkgmoncl.exe
        
        C:\Windows\system32\Mkgmoncl.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4208
        
        C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Mlgjhp32.exe
        
        C:\Windows\system32\Mlgjhp32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        83⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        84⤵
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Mepnaf32.exe
        
        C:\Windows\system32\Mepnaf32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Mohbjkgp.exe
        
        C:\Windows\system32\Mohbjkgp.exe
        87⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5804
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        89⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5960
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6036
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        93⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6232
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        95⤵
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6312
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6352
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:6472
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Nlefjnno.exe
        
        C:\Windows\system32\Nlefjnno.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6592
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6632
        
        C:\Windows\SysWOW64\Nbbnbemf.exe
        
        C:\Windows\system32\Nbbnbemf.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6672
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        109⤵
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:6872
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6912
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:6952
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        114⤵
        Drops file in System32 directory
        
        PID:7032
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7072
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7112
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        117⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7152
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3336
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        120⤵
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        122⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        124⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        126⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        127⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:6188
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:6264
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        132⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        133⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        134⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6528
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:6576
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        136⤵
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        138⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6824
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:6888
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        142⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        143⤵
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7148
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:896
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3800
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        148⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        153⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        154⤵
        Drops file in System32 directory
        
        PID:6368
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        155⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3368
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7204
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7244
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:7284
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        160⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7324
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        161⤵
        
        PID:7364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3708,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4392 /prefetch:8
1⤵
PID:7448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hcjmhk32.exe

Filesize
1.2MB

MD5
0d0e7138772cfbf4e19a8defd141301c

SHA1
dec17e0c95bd63ea6911203c2002e47e4d6bef9e

SHA256
8dc02008b7445867a83c49d31334ec2d7480edf3e99f4ac44f07761f17e21ebb

SHA512
389863de575f15425dd7fc2e545bcf661c1a81154b947810e097da24944a7dd65f959915de954ca9c0a5ac6a1e5aaef89914c4e3432f4b8a9cc24f7ab6553bdb

Download Submit
C:\Windows\SysWOW64\Hghfnioq.exe

Filesize
1.2MB

MD5
fe3d0bd3f1c4aeaf52bf82debb2e73fb

SHA1
6f7051e70ee64b40781f7c236579ce8cb9095301

SHA256
cb54828390514fbd3027614624336e593aa3a8287056d8817154a0221ad64d64

SHA512
8cf2093eb92bb3ad9fd31fc791d76703faa7df7e4d3e9024aaae9a03c5b340ad3b8f5a5dafec86ebea76ef303bd28e141608c9e315d4d7a73df8344498997dfc

Download Submit
C:\Windows\SysWOW64\Hjdedepg.exe

Filesize
1.2MB

MD5
9ba62171029aedcd1f993f081e1d7e0d

SHA1
1607791516d5c97b7f83b92538a69a5f089fd671

SHA256
8327a384fd1cbaf327c4a00d194d26c4734ca8d76a8a653a3101c12453015ed5

SHA512
e1e32641e8a8408cd397e585f407038ae77d27484b6f95b145878d333be6f8d6f0df82803496b1c3a7ded6456b323987cbef8c23ad13b1b14c7f7b06764a3817

Download Submit
C:\Windows\SysWOW64\Hnbnjc32.exe

Filesize
1.2MB

MD5
95529b908725cb1074ef3b96ad824f80

SHA1
e8bfcfeeac4e88681104c4b58407a3a16181c52b

SHA256
44e6e16b83f9f685c182635fd1fc5dbb9e3012754283db861a090af87995c697

SHA512
a524f14eb54603342f5100c27817af82b7618798bd7f5e943a6b7664abee65b8b0301cd3e330c0c6f2ad66c4ac2dcdea60c47640142387bf9587441673bb5269

Download Submit
C:\Windows\SysWOW64\Iagqgn32.exe

Filesize
1.2MB

MD5
d43c98496dce460af6bf7927d0df580f

SHA1
67e30a3de4886694e6218e8001134f2547b434c3

SHA256
88a95577d1c182fdff3f3a155012c65cda868990c0185cdb118db8722bbc78ca

SHA512
6c10098c123067ce01f8e403669dfbaa3bff07dc2941d6a94d2da64b77f76945bb7613b03daa3b77ee5413edbbaf84a3d81ce4c685d3ffb1444fc4dfe82f9da4

Download Submit
C:\Windows\SysWOW64\Iajmmm32.exe

Filesize
1.2MB

MD5
cc2cf695dab7293d8ed35e91819f54c6

SHA1
518dffcef406db95c7521d447a6d7fbf7b526114

SHA256
c9b3fc084a9312d266f5522a618ea9d562f3593fb651dc09fccaa909e8fc545f

SHA512
9c25b5d5edf187305453daa783d6175c6c81799e24842485daf181e6d36f3b252846b06673f0bf3c155f21026cd18f01f8833321329d0cf0c885d88b31000b77

Download Submit
C:\Windows\SysWOW64\Iapjgo32.exe

Filesize
1.2MB

MD5
0b0101515cb670aae899f9fcb688b425

SHA1
7a7599c7417541cde2e5312e95f8c2d3e754318d

SHA256
a405ec1d404b03b50d14f5f275bbd4ef5ae69382f0dd9bb7b7eeb2adc281d5d3

SHA512
cf0cf8b896b83be44bafb2ee85f13b8d0bf47c3eb41a2b9559f0197e18040db1c2ab61ad078c9c6fc2260c238c486c350b216140341181ca1b777a8ed67a1964

Download Submit
C:\Windows\SysWOW64\Ibbcfa32.exe

Filesize
1.2MB

MD5
46fbf5e5c552de9b6c65c0c4b94ce32d

SHA1
6821a0e2407e4f223b70947eeff2383de327ca2c

SHA256
1ab7ba915a0c5ab7ba2eff67cb008ce9e356899ebc7de91f867d99c2f65cdcd3

SHA512
2460d7f3eb1a6d8d85dadc7517f6163019f44614205294899dcf713efb1dc2a9c6b764ebea2b737ab00c8100168e63d010b86c84aca0a065a9f4c0be6318d49e

Download Submit
C:\Windows\SysWOW64\Ibpgqa32.exe

Filesize
1.2MB

MD5
ada998c02c4e5993e5d17063f19961ab

SHA1
7475128d8a5be5f92d2fa6192d66e1510c1cc91a

SHA256
c5ba96eb94d021a479932320a4120d3a5bf1cabe113012384b09691906cf6b1f

SHA512
a1fc7ed09bd11e18559e3dfe44f3d869b9beeb789ffa73fdc3cd26f273f42d12df1e516cf16a9e6bde7947588755d2195889c12d657c635754af7527ac076550

Download Submit
C:\Windows\SysWOW64\Icachjbb.exe

Filesize
1.2MB

MD5
2088f0b2178fce4060150b648488dcb2

SHA1
053d377c4ea062fd2a3d3a50fb232e87b4707f82

SHA256
8e51a6ca5295cc5cdca68e7b3bd31170e7c87067c4ec1bb814c020fd6d17341d

SHA512
f3244b2185248198d39b268645e59622d2c80ca903fefeed5461169de1f3f7c783de0e53a5af08576759ea030f9c95dc3364af24a0feda3add3f97d9edef9b02

Download Submit
C:\Windows\SysWOW64\Iccpniqp.exe

Filesize
1.2MB

MD5
9e29e2d6f2f55cc163eb95667630e41b

SHA1
040ffd7e384868cf7ef3a842fd287924b0744ac9

SHA256
71a9837d63a4e04882524e9d7f36b6279d7dfa6f9df62ec2cd95e82c6ede3bde

SHA512
8b1a551cca89475c4936f2969f58ca8626a57290cf3c4c4765855198f141cf7c1e3c926fb46cb1235f4d4d2e2b6430c10b7a41df059f7b3fa943ded60e0f4dd7

Download Submit
C:\Windows\SysWOW64\Icfmci32.exe

Filesize
1.2MB

MD5
617f03d5110be62b2d339a5c651e9ad1

SHA1
05503a2238e8e3a26dfe9f1be068f5c30cb1e8d3

SHA256
c7255c14610c68721b4c5a02ffacdc35dce5e82f062c5b5ca7d06cb57d32bd76

SHA512
26fe258edf1d59b948aec352d7dbaa3a5bc9b79072d689ea29635d29d1a177e90de00b78c7457e3ae26c9a8c5153eb871f2a604e25c63e6f65bf2676c15b1234

Download Submit
C:\Windows\SysWOW64\Icogcjde.exe

Filesize
1.2MB

MD5
85d8250820aaa94f45d62730eb9f211a

SHA1
1aaafc8391c7ecfceb10a36c97409f34f934322d

SHA256
9b7c8434e718fbe0393e0c46af6d775e593d796a4957eea32c2a5d13995ac946

SHA512
ce8d94c301769c20aaccc9809568faa051bf0120a7e8cfd8409f768c6f3c2a5c7379de93847f97f78067591b7bf06e58aee330d373f790db16a822161d2aff0b

Download Submit
C:\Windows\SysWOW64\Idhiii32.exe

Filesize
1.2MB

MD5
393335e602db8026f6a9b390d70cbc6d

SHA1
819d4052f977adc74a5e2bf0ff4b15acc60ca3cc

SHA256
2a2a8939ee185bb7b9daa2f4d26f167ac1e31d9f0764ab9400be1edf61287f7a

SHA512
0b1da14f29d6651c59ecd620788ab37626595bc661fe454111df7a0b01daef445e13ed509f00a00bbdcbfd55e1023a843abf41a615571fcceb2c740c4795e5bf

Download Submit
C:\Windows\SysWOW64\Ieqpbm32.exe

Filesize
1.2MB

MD5
8aa7e488c9d188ac92d12c081784192f

SHA1
5d85b7cd94a00d75221ec4110ac357184250d59d

SHA256
c3df8796b081b35decbb383f4b92dca72146dfa6c8100f2fe111e382cbab6cc9

SHA512
99a0290f2076546efb60c9513cdca7f5e0320702e7c268b2a9a919b6969c783b43d09c36fef46a6e2f201b85abc186e252a0748f796c24ed27739309c7baba92

Download Submit
C:\Windows\SysWOW64\Ijbbfc32.exe

Filesize
1.2MB

MD5
df12116049412807ed03c1cdcf71bdf1

SHA1
d563d7aebbd52b3fa48d575bb72c583364d2e5ac

SHA256
4501af7358f8bab7372374e8c06104151945ba1346d215032c23d534ce78c891

SHA512
07036381d0d2351872421789cc406c76da69cf0a0f5ff97f539d6ce296d07d80d585e72ce1cde9ebd847ccf9b745ecc87100c6fa1f0943e5d119904ee185867b

Download Submit
C:\Windows\SysWOW64\Ijkled32.exe

Filesize
1.2MB

MD5
6df71b4b2ca638a1b608dd10002e49b0

SHA1
e5766db64797912e1679c6d3622027e15918b461

SHA256
fb4e491f96c59d41d39408258a2cd5e9780b53f90343d1cb45b2d634bfe9d094

SHA512
e0c27a5dc1bff5906f2773956da0805a4bbf8f561111ce2602d46d604219a0c8f3e04adb254588bb089105b38b86420e73552ab65b3c1f4fdbd7e73bb4728326

Download Submit
C:\Windows\SysWOW64\Ijpepcfj.exe

Filesize
1.2MB

MD5
cefb12d5dae34aacb1f5888bb1ca4c19

SHA1
5d70a388078fc645708e4cd063ffb796bea8753f

SHA256
f0fef7c01056525ff8572ac90572eaf79d313131a5c3ef08fdb461dd19fe2138

SHA512
eb8fa4f807c76c51e0f0199c51e8e3eef4ed9a6d1440ed80897fa042b392350aea59646cfd395728bb8dd79f3b4406e077d3809abfebb3768ce793479d4fec44

Download Submit
C:\Windows\SysWOW64\Ilfodgeg.exe

Filesize
1.2MB

MD5
9171dd810b27f2e2522be47871f6c15d

SHA1
fbb3f0a591fa88765c5df2f4d19d9b61d19035fb

SHA256
a0ca249f4ec21cc927d5142f482a3eaee3515d118c981c06f686a13f266b7284

SHA512
b433c4bc9f7fe6a3ef7bd9581f7753eec9aa4a19c1c3f9597a9dbff3cb34c8831925cdf8cd12017ee2a6f018d3cfe38d10143fd2c56d7f2516c4f923a2a12d91

Download Submit
C:\Windows\SysWOW64\Ilhkigcd.exe

Filesize
1.2MB

MD5
c27371186ea8b7f13258535792b047a7

SHA1
bbbf0317e718bf5d6d709c9d98bee39bf135cc53

SHA256
29e7597ee41e2193537a8ff30a088c9ceb4b00b10443a028417ee27b46e67519

SHA512
9cc9e8274770d69e1657e4cca00ace212cb7bd4c2b58dd1e94b06c995b3fe092d39aba2373918c4f105cf05b544a7d8a0aadf450c6cff29d81c91b91b4f5c300

Download Submit
C:\Windows\SysWOW64\Ilkhog32.exe

Filesize
1.2MB

MD5
8175114e7bf121ae372a4a13ed12a40d

SHA1
a2aebcbe5cc026ef7095857c62972138e4cf8cb7

SHA256
97f8b779a0470e4bcffc2f5cc047e8dd143eb162e94792b27430b4b6168e8fe1

SHA512
4ad0b506667c63face6cb4b50c2b21487a5e3932a53679968a6f746015ecf35518c7b9122d3967eb471729dcecd7221a177ecbaa20c90b761342858135ba93fd

Download Submit
C:\Windows\SysWOW64\Indkpcdk.exe

Filesize
1.2MB

MD5
e6dbd155bf992bb8a897fd463526e144

SHA1
483e98a7b0fdc1ba6efcd7f65911f0870ca14e59

SHA256
5e0f2ac2a956672c1c02952990697916267c3a26eeb909395f02a1eb739f6896

SHA512
668f04fde0eb74b4688089fffd9bdcc33a314586348f0333ba0f17f5dd4c5472a26689c963df7eb8b55bf284624be09c171f3f4962397dc7c79857af01504eba

Download Submit
C:\Windows\SysWOW64\Inidkb32.exe

Filesize
1.2MB

MD5
4dea39ca91cd028553f34a8676c8a6e5

SHA1
85700d01e6103b8ce437af0b26481732fcbfa6bd

SHA256
499359afd5068ee98fccc256e47bb888cf64b5f104779a2ea5ca00cbaf559962

SHA512
b06a9bf78c7339695ac37017c3a9a90c7eb0d1b879f971464b647869b6e85e9b38dedc8eb936edee63f0b3a3fbebc09a658c35998780fb44f9ad1cd977b11a9b

Download Submit
C:\Windows\SysWOW64\Jakjcj32.dll

Filesize
7KB

MD5
7c62e650cecd24bf3ddadcf6060680cf

SHA1
41d502a24db2d471753bfd28546dd536a59ade24

SHA256
a93aaaad30c5edf16b39d97db9dde211ce073ce37b77ce5c8d73566a34d23259

SHA512
ead498ee4c4fe65d8fb8d20c3fec1f9e2d60934662002c330a791067cb5d14e689a5fb9807d031f9312c266b36453cc50459f19df7fe260f67fa57894345b548

Download Submit
C:\Windows\SysWOW64\Jblflp32.exe

Filesize
1.2MB

MD5
bb1339c09f637705e7d63a0144508038

SHA1
5f8cf60262fc11113efaa298163551f639b3467c

SHA256
dc4756de68b3870e43e2ba6c0c2ee9245b9057a5b06a953a9d97bd24cb40fbb0

SHA512
7f5dd6d43fc526ee358a773f4977979e3374a7ea6679031116c4d111f2ed755610ab9f05e56796beb7e01c2749b988636ab5ce4fc20224a72e04cbfadac23bd6

Download Submit
C:\Windows\SysWOW64\Jdjfohjg.exe

Filesize
1.2MB

MD5
a10943d361aeaa6c118ec07312c21e5e

SHA1
9ce7828566909144baaaf8795a52ca1023093a36

SHA256
073efca29a7c710e2afa6a869ee590853fa9bb3a566f960fcb9fcb1978e625bb

SHA512
4697b63b2f12040416045f52726b97ba729693714c141d798f123e8720ee60b6a91143c94e532ef8154c3a52b8dd31da9c00b6cc7b491e2ef6a3ca94bd44e00e

Download Submit
C:\Windows\SysWOW64\Jejbhk32.exe

Filesize
1.2MB

MD5
6ebab0b1981b4a6b6764024928753ff1

SHA1
ab07885e0f27e3f08b3372072a654e0edb47155b

SHA256
213df083d8f335e9284af1a1d73def89aed3624a5c6e1957282ef45986448732

SHA512
0eb360dc147bec7ff5eff3ad838dc7ef3129ec72cc98e6dce88328118a6fa87bc00d0cdbcbb6bace9bfbe6a7614c1b6ad1462c661d21098d776814f010909da2

Download Submit
C:\Windows\SysWOW64\Jelonkph.exe

Filesize
1.2MB

MD5
79ab6af2205eb89b761f0ee9ef965274

SHA1
3e78e832ae6d86f44812532e69516d23fb10ef36

SHA256
ed8895a215306beea54341699a0d9b2c069e28d4cadd9e57ce1b56f5c8fdfdad

SHA512
6f4c757beb1406490b10a35218fc6517f46e6aa216e90dec538a9a57a3689311229d61dccd6c275998162f9a835487be9906eb5f31ee1451d0eea060ee8c0413

Download Submit
C:\Windows\SysWOW64\Jhhodg32.exe

Filesize
1.2MB

MD5
80c513b6f31a905343e2937c616d4007

SHA1
0213bd25bf60c3629fed10aa3b4126ef5c7dc8ff

SHA256
710d2ff424a0c88a8359e6ecbaf1a94cdf6f3981793feb275618c45559c67b9c

SHA512
a5ec9bc7ae40ac85a09dd8c4a6f2f2b11906eb997f036a2265f02b726a0b1ff0089a428e78dc84224ee359a973199a8e4156be55c32e1535af2cfd6c7ffc74c1

Download Submit
C:\Windows\SysWOW64\Jhkljfok.exe

Filesize
1.2MB

MD5
5834de6a4bd7331eff7a0295dfc41be4

SHA1
3c19056e3d24e240f70725e41482b37ec9490692

SHA256
3ffaa98b848889a733e17728db4e6722f46fcd1446f9dfdf4df8b68f2ee2fcf4

SHA512
d58904923775dafab79db911a7ba0628818a210b9454761513df0f86daf06a045e545d65fec080b54089d5bcd8004c797fdb9ee4edd4b662a36583eb47fec174

Download Submit
C:\Windows\SysWOW64\Jjdokb32.exe

Filesize
1.2MB

MD5
ee7c00ab95c9dbb694e958dbf003cb2a

SHA1
8a35d2ccf9925dfb1e2cbad14c80e4a1c137417d

SHA256
a5551b7fa63e854ba65ec5c2bef9b5e9f73ffecef7e2dab58372f46502ea760f

SHA512
bfce877e69531c1aa5a97c3a445983fca2e999f73f592a0989f2816df45e8171da8cfe96ef7fccd905dcd7db74d0bd1f5f8479b58a145f3d5f3cf6035147e649

Download Submit
C:\Windows\SysWOW64\Jnbgaa32.exe

Filesize
1.2MB

MD5
cd1310bd156d78c368a49310eeeee12d

SHA1
9b05b75c91ac14d4fbc0bd23ff647295845852df

SHA256
5f5febb1d9c2658c0d8717f76495959840942014760fa80e700753ccf4d75136

SHA512
04110e88cd0f58886e4333ff0dd28b5e9eb161db948b83c4698b88ca7b3f4f8641ca08f8a7dc0760a3a0dce28fcb7ff64b71fe867d85704fa33278cef5503614

Download Submit
C:\Windows\SysWOW64\Jnedgq32.exe

Filesize
1.2MB

MD5
dc10b0f834a746f96a7ef8d79395af7a

SHA1
2ce5b77fdc799a0fcb6ab4ae294f6fdb640355b8

SHA256
96bdd98b323091746387e22400478acb6948aa7e1cb666ce21ebef0fcb44dab6

SHA512
92ea04734fdbd241357bedc2344dbd5fcefbee7803ad79f013eab27fe6125e53b322c06bd5c0df13a824dd3ee276665da9ea2e0d6611b0b4064e17c26b49a9ea

Download Submit
memory/376-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/384-174-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/452-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/552-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/676-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/720-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/816-94-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1016-110-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1036-254-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1104-230-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1168-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1416-198-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1764-508-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1804-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2060-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2060-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2096-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2100-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2128-85-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2152-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2152-93-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2304-52-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2480-520-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2512-514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2524-60-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2544-502-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2596-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2792-142-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2992-28-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3036-150-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3088-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3168-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3556-206-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3932-76-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3948-246-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4028-158-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4148-182-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4204-214-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4208-538-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4216-166-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4356-526-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4380-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4384-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4416-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4460-118-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4668-44-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4728-68-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4756-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4844-238-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4868-126-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4888-190-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4892-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4904-222-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4948-532-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4996-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5128-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5168-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5204-544-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5208-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5248-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5276-550-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5288-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5328-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5356-556-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5368-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5408-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5432-562-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5448-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5488-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5504-568-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5528-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5568-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5584-574-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5608-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5648-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5664-580-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5688-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5724-586-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5728-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5768-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5804-592-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5808-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5848-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5880-598-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5888-460-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5928-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5960-604-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5968-472-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6008-478-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6036-610-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6048-484-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6088-490-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6128-496-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6152-616-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6192-622-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6232-628-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads