894368a90bdb3fbe51ce9e93f3297100d90a6cd59eff4a40ddd5a8b5461ddbad

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

894368a90bdb3fbe51ce9e93f3297100d90a6cd59eff4a40ddd5a8b5461ddbadN.exe
Size

80KB
MD5

6d300aadd0c4a5e83c9ac1038f2f1d90
SHA1

ecba05e4f2ddeae07b70072c0998f94f434ce74b
SHA256

894368a90bdb3fbe51ce9e93f3297100d90a6cd59eff4a40ddd5a8b5461ddbad
SHA512

b7e413f275e45f14dd04786525a327d3e03035a7f1f32482bbf90b292acdcd0b99f980955616c652bd231780b72188b784e134790eda18d865f5cc4c5e11e4d1
SSDEEP

1536:uYXxYnQutEHSFnFuF07ooEbF6A7wSYCpIpnj4GB693iVNqN+zL20gJi1i9:uUxjHguF07ooEbF6A7wSYCetM3iVggzU

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poidhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mafofggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkcccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jblflp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	894368a90bdb3fbe51ce9e93f3297100d90a6cd59eff4a40ddd5a8b5461ddbadN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhdggb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlemcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkcmjlio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhpnlclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mccokj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfkpjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kejloi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhnjna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmoncl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhiabbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcoepkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mllccpfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iecmhlhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijpepcfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihaidhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhmafcnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhpnlclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbhool32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhdggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	894368a90bdb3fbe51ce9e93f3297100d90a6cd59eff4a40ddd5a8b5461ddbadN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmoncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkgdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odjmdocp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lahbei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdnebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepineo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqabib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcabej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mepnaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfbmdabh.exe

Executes dropped EXE 64 IoCs

pid	Process
1576	Iholohii.exe
2852	Ibdplaho.exe
1936	Iecmhlhb.exe
4872	Ihaidhgf.exe
2028	Ijpepcfj.exe
2784	Idhiii32.exe
1848	Ijbbfc32.exe
3660	Jaljbmkd.exe
456	Jlanpfkj.exe
3388	Jblflp32.exe
3924	Jhhodg32.exe
2496	Jaqcnl32.exe
3348	Jnedgq32.exe
3300	Jeolckne.exe
1532	Jhmhpfmi.exe
3224	Jddiegbm.exe
4336	Keceoj32.exe
512	Kkpnga32.exe
3212	Kdhbpf32.exe
3996	Kbjbnnfg.exe
3852	Klbgfc32.exe
2776	Kblpcndd.exe
4840	Kejloi32.exe
3520	Khihld32.exe
3624	Klddlckd.exe
4980	Kkgdhp32.exe
228	Kbnlim32.exe
3268	Kemhei32.exe
2800	Klgqabib.exe
3672	Lkiamp32.exe
2072	Loemnnhe.exe
3652	Lacijjgi.exe
764	Leoejh32.exe
464	Ldbefe32.exe
2888	Lhmafcnf.exe
1604	Lklnconj.exe
3256	Logicn32.exe
2844	Lbcedmnl.exe
2180	Leabphmp.exe
4088	Lddble32.exe
4780	Lhpnlclc.exe
4748	Lknjhokg.exe
3704	Lojfin32.exe
4948	Lahbei32.exe
848	Ledoegkm.exe
3004	Lhbkac32.exe
896	Llngbabj.exe
4388	Lolcnman.exe
1300	Lbhool32.exe
3132	Lajokiaa.exe
3316	Lefkkg32.exe
2264	Lhdggb32.exe
2348	Llpchaqg.exe
1112	Lkcccn32.exe
3464	Loopdmpk.exe
3120	Lcjldk32.exe
5068	Lehhqg32.exe
3396	Ldkhlcnb.exe
3496	Mlbpma32.exe
2104	Mkepineo.exe
652	Moalil32.exe
372	Mclhjkfa.exe
2928	Maoifh32.exe
884	Mdnebc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hbfhni32.dll	Lbhool32.exe
File created	C:\Windows\SysWOW64\Nngihj32.dll	Mcabej32.exe
File created	C:\Windows\SysWOW64\Omcbkl32.exe	Odljjo32.exe
File opened for modification	C:\Windows\SysWOW64\Pmhkflnj.exe	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Pmjhlklg.exe	Pfppoa32.exe
File created	C:\Windows\SysWOW64\Pakfglam.dll	Ijbbfc32.exe
File opened for modification	C:\Windows\SysWOW64\Khihld32.exe	Kejloi32.exe
File created	C:\Windows\SysWOW64\Nfoceoni.dll	Nlnpio32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmoncl.exe	Mlemcq32.exe
File opened for modification	C:\Windows\SysWOW64\Mlifnphl.exe	Mhnjna32.exe
File opened for modification	C:\Windows\SysWOW64\Ldbefe32.exe	Leoejh32.exe
File created	C:\Windows\SysWOW64\Lhmafcnf.exe	Ldbefe32.exe
File opened for modification	C:\Windows\SysWOW64\Lefkkg32.exe	Lajokiaa.exe
File opened for modification	C:\Windows\SysWOW64\Lkcccn32.exe	Llpchaqg.exe
File opened for modification	C:\Windows\SysWOW64\Moalil32.exe	Mkepineo.exe
File opened for modification	C:\Windows\SysWOW64\Ofbdncaj.exe	Nbdkhe32.exe
File created	C:\Windows\SysWOW64\Jddiegbm.exe	Jhmhpfmi.exe
File opened for modification	C:\Windows\SysWOW64\Kemhei32.exe	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Odgqopeb.exe	Okolfj32.exe
File created	C:\Windows\SysWOW64\Pdqcenmg.exe	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Jhhodg32.exe	Jblflp32.exe
File created	C:\Windows\SysWOW64\Najlgpeb.dll	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Oofial32.dll	Llngbabj.exe
File created	C:\Windows\SysWOW64\Lcjldk32.exe	Loopdmpk.exe
File opened for modification	C:\Windows\SysWOW64\Lcjldk32.exe	Loopdmpk.exe
File opened for modification	C:\Windows\SysWOW64\Omcbkl32.exe	Odljjo32.exe
File opened for modification	C:\Windows\SysWOW64\Ijpepcfj.exe	Ihaidhgf.exe
File created	C:\Windows\SysWOW64\Idhiii32.exe	Ijpepcfj.exe
File created	C:\Windows\SysWOW64\Cieonn32.dll	Pmhkflnj.exe
File opened for modification	C:\Windows\SysWOW64\Klgqabib.exe	Kemhei32.exe
File created	C:\Windows\SysWOW64\Lknjhokg.exe	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Eeeibmnq.dll	Lkcccn32.exe
File opened for modification	C:\Windows\SysWOW64\Mhnjna32.exe	Mepnaf32.exe
File created	C:\Windows\SysWOW64\Gmoikj32.dll	Mepnaf32.exe
File created	C:\Windows\SysWOW64\Ckmpakdh.dll	Nkcmjlio.exe
File created	C:\Windows\SysWOW64\Jnedgq32.exe	Jaqcnl32.exe
File opened for modification	C:\Windows\SysWOW64\Jddiegbm.exe	Jhmhpfmi.exe
File created	C:\Windows\SysWOW64\Mhpgca32.exe	Mebkge32.exe
File created	C:\Windows\SysWOW64\Pfppoa32.exe	Pcbdcf32.exe
File created	C:\Windows\SysWOW64\Iholohii.exe	894368a90bdb3fbe51ce9e93f3297100d90a6cd59eff4a40ddd5a8b5461ddbadN.exe
File created	C:\Windows\SysWOW64\Lklnconj.exe	Lhmafcnf.exe
File created	C:\Windows\SysWOW64\Coffcf32.dll	Lehhqg32.exe
File opened for modification	C:\Windows\SysWOW64\Mhknhabf.exe	Mdpagc32.exe
File created	C:\Windows\SysWOW64\Cfioldni.dll	Mhnjna32.exe
File created	C:\Windows\SysWOW64\Daphho32.dll	Ndlacapp.exe
File created	C:\Windows\SysWOW64\Pcpgmf32.exe	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Kejloi32.exe	Kblpcndd.exe
File opened for modification	C:\Windows\SysWOW64\Lkiamp32.exe	Klgqabib.exe
File created	C:\Windows\SysWOW64\Kdlmhj32.dll	Ledoegkm.exe
File opened for modification	C:\Windows\SysWOW64\Llpchaqg.exe	Lhdggb32.exe
File created	C:\Windows\SysWOW64\Gfomcn32.dll	Pcbdcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ihaidhgf.exe	Iecmhlhb.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbnnfg.exe	Kdhbpf32.exe
File created	C:\Windows\SysWOW64\Bfdkqcmb.dll	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Lbcedmnl.exe	Logicn32.exe
File created	C:\Windows\SysWOW64\Abggif32.dll	Lhdggb32.exe
File opened for modification	C:\Windows\SysWOW64\Mcfkpjng.exe	Mkocol32.exe
File created	C:\Windows\SysWOW64\Nkapelka.exe	Nlnpio32.exe
File created	C:\Windows\SysWOW64\Ndlacapp.exe	Nkcmjlio.exe
File created	C:\Windows\SysWOW64\Ckdlidhm.dll	Jaljbmkd.exe
File opened for modification	C:\Windows\SysWOW64\Kejloi32.exe	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Pdngpo32.exe	Obpkcc32.exe
File created	C:\Windows\SysWOW64\Mlemcq32.exe	Mhiabbdi.exe
File created	C:\Windows\SysWOW64\Mkgmoncl.exe	Mlemcq32.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaljbmkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkjjdmaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblflp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhmafcnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahbei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolcnman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdpagc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlifnphl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbmdabh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lefkkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madbagif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkcmjlio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaqcnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mepnaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mafofggd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfppoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhmhpfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpchaqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndlacapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mccokj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oooaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	894368a90bdb3fbe51ce9e93f3297100d90a6cd59eff4a40ddd5a8b5461ddbadN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnedgq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mclhjkfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknjhokg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlemcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllccpfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdngpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibdplaho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdhbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llngbabj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhpgca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkapelka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlanpfkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofbdncaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbcedmnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajokiaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkepineo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhiabbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcabej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qelcamcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeolckne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbgfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblpcndd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhpnlclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmaai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdqcenmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbnnfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkgmoncl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obpkcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lacijjgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlbpma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okolfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijpepcfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnlim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loemnnhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhdggb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcbkl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbdkhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debaqh32.dll"	Obpkcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iagpbgig.dll"	Mkjjdmaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkcmjlio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lehhqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Encnaa32.dll"	Maaekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mccokj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iholohii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdlidhm.dll"	Jaljbmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnfbijk.dll"	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Poidhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijbbfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnhog32.dll"	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhomdeb.dll"	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddble32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkapelka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abggif32.dll"	Lhdggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepineo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mepnaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhjjip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpbcn32.dll"	Jlanpfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jddiegbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmfchehg.dll"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pakfglam.dll"	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdklc32.dll"	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fooqlnoa.dll"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lefkkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfioldni.dll"	Mhnjna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlifnphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iecmhlhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Madbagif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknikplo.dll"	Iecmhlhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmheb32.dll"	Ihaidhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichnpf32.dll"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdkapdh.dll"	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfomcn32.dll"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	894368a90bdb3fbe51ce9e93f3297100d90a6cd59eff4a40ddd5a8b5461ddbadN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbddhbhn.dll"	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcjldk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lehhqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbimjb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 1576	2664	894368a90bdb3fbe51ce9e93f3297100d90a6cd59eff4a40ddd5a8b5461ddbadN.exe	89
PID 2664 wrote to memory of 1576	2664	894368a90bdb3fbe51ce9e93f3297100d90a6cd59eff4a40ddd5a8b5461ddbadN.exe	89
PID 2664 wrote to memory of 1576	2664	894368a90bdb3fbe51ce9e93f3297100d90a6cd59eff4a40ddd5a8b5461ddbadN.exe	89
PID 1576 wrote to memory of 2852	1576	Iholohii.exe	90
PID 1576 wrote to memory of 2852	1576	Iholohii.exe	90
PID 1576 wrote to memory of 2852	1576	Iholohii.exe	90
PID 2852 wrote to memory of 1936	2852	Ibdplaho.exe	91
PID 2852 wrote to memory of 1936	2852	Ibdplaho.exe	91
PID 2852 wrote to memory of 1936	2852	Ibdplaho.exe	91
PID 1936 wrote to memory of 4872	1936	Iecmhlhb.exe	92
PID 1936 wrote to memory of 4872	1936	Iecmhlhb.exe	92
PID 1936 wrote to memory of 4872	1936	Iecmhlhb.exe	92
PID 4872 wrote to memory of 2028	4872	Ihaidhgf.exe	93
PID 4872 wrote to memory of 2028	4872	Ihaidhgf.exe	93
PID 4872 wrote to memory of 2028	4872	Ihaidhgf.exe	93
PID 2028 wrote to memory of 2784	2028	Ijpepcfj.exe	94
PID 2028 wrote to memory of 2784	2028	Ijpepcfj.exe	94
PID 2028 wrote to memory of 2784	2028	Ijpepcfj.exe	94
PID 2784 wrote to memory of 1848	2784	Idhiii32.exe	95
PID 2784 wrote to memory of 1848	2784	Idhiii32.exe	95
PID 2784 wrote to memory of 1848	2784	Idhiii32.exe	95
PID 1848 wrote to memory of 3660	1848	Ijbbfc32.exe	96
PID 1848 wrote to memory of 3660	1848	Ijbbfc32.exe	96
PID 1848 wrote to memory of 3660	1848	Ijbbfc32.exe	96
PID 3660 wrote to memory of 456	3660	Jaljbmkd.exe	97
PID 3660 wrote to memory of 456	3660	Jaljbmkd.exe	97
PID 3660 wrote to memory of 456	3660	Jaljbmkd.exe	97
PID 456 wrote to memory of 3388	456	Jlanpfkj.exe	98
PID 456 wrote to memory of 3388	456	Jlanpfkj.exe	98
PID 456 wrote to memory of 3388	456	Jlanpfkj.exe	98
PID 3388 wrote to memory of 3924	3388	Jblflp32.exe	99
PID 3388 wrote to memory of 3924	3388	Jblflp32.exe	99
PID 3388 wrote to memory of 3924	3388	Jblflp32.exe	99
PID 3924 wrote to memory of 2496	3924	Jhhodg32.exe	100
PID 3924 wrote to memory of 2496	3924	Jhhodg32.exe	100
PID 3924 wrote to memory of 2496	3924	Jhhodg32.exe	100
PID 2496 wrote to memory of 3348	2496	Jaqcnl32.exe	101
PID 2496 wrote to memory of 3348	2496	Jaqcnl32.exe	101
PID 2496 wrote to memory of 3348	2496	Jaqcnl32.exe	101
PID 3348 wrote to memory of 3300	3348	Jnedgq32.exe	102
PID 3348 wrote to memory of 3300	3348	Jnedgq32.exe	102
PID 3348 wrote to memory of 3300	3348	Jnedgq32.exe	102
PID 3300 wrote to memory of 1532	3300	Jeolckne.exe	103
PID 3300 wrote to memory of 1532	3300	Jeolckne.exe	103
PID 3300 wrote to memory of 1532	3300	Jeolckne.exe	103
PID 1532 wrote to memory of 3224	1532	Jhmhpfmi.exe	104
PID 1532 wrote to memory of 3224	1532	Jhmhpfmi.exe	104
PID 1532 wrote to memory of 3224	1532	Jhmhpfmi.exe	104
PID 3224 wrote to memory of 4336	3224	Jddiegbm.exe	105
PID 3224 wrote to memory of 4336	3224	Jddiegbm.exe	105
PID 3224 wrote to memory of 4336	3224	Jddiegbm.exe	105
PID 4336 wrote to memory of 512	4336	Keceoj32.exe	106
PID 4336 wrote to memory of 512	4336	Keceoj32.exe	106
PID 4336 wrote to memory of 512	4336	Keceoj32.exe	106
PID 512 wrote to memory of 3212	512	Kkpnga32.exe	107
PID 512 wrote to memory of 3212	512	Kkpnga32.exe	107
PID 512 wrote to memory of 3212	512	Kkpnga32.exe	107
PID 3212 wrote to memory of 3996	3212	Kdhbpf32.exe	108
PID 3212 wrote to memory of 3996	3212	Kdhbpf32.exe	108
PID 3212 wrote to memory of 3996	3212	Kdhbpf32.exe	108
PID 3996 wrote to memory of 3852	3996	Kbjbnnfg.exe	109
PID 3996 wrote to memory of 3852	3996	Kbjbnnfg.exe	109
PID 3996 wrote to memory of 3852	3996	Kbjbnnfg.exe	109
PID 3852 wrote to memory of 2776	3852	Klbgfc32.exe	110

C:\Users\Admin\AppData\Local\Temp\894368a90bdb3fbe51ce9e93f3297100d90a6cd59eff4a40ddd5a8b5461ddbadN.exe
"C:\Users\Admin\AppData\Local\Temp\894368a90bdb3fbe51ce9e93f3297100d90a6cd59eff4a40ddd5a8b5461ddbadN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\Iholohii.exe
  C:\Windows\system32\Iholohii.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\Ibdplaho.exe
    C:\Windows\system32\Ibdplaho.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\Iecmhlhb.exe
      C:\Windows\system32\Iecmhlhb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
      - C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Jddiegbm.exe
        
        C:\Windows\system32\Jddiegbm.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        31⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        44⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Windows\SysWOW64\Lefkkg32.exe
        
        C:\Windows\system32\Lefkkg32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Lhdggb32.exe
        
        C:\Windows\system32\Lhdggb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Llpchaqg.exe
        
        C:\Windows\system32\Llpchaqg.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Lkcccn32.exe
        
        C:\Windows\system32\Lkcccn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\Loopdmpk.exe
        
        C:\Windows\system32\Loopdmpk.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\Lcjldk32.exe
        
        C:\Windows\system32\Lcjldk32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Lehhqg32.exe
        
        C:\Windows\system32\Lehhqg32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Ldkhlcnb.exe
        
        C:\Windows\system32\Ldkhlcnb.exe
        59⤵
        Executes dropped EXE
        
        PID:3396
        
        C:\Windows\SysWOW64\Mlbpma32.exe
        
        C:\Windows\system32\Mlbpma32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\Mkepineo.exe
        
        C:\Windows\system32\Mkepineo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Moalil32.exe
        
        C:\Windows\system32\Moalil32.exe
        62⤵
        Executes dropped EXE
        
        PID:652
        
        C:\Windows\SysWOW64\Mclhjkfa.exe
        
        C:\Windows\system32\Mclhjkfa.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        64⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:884
        
        C:\Windows\SysWOW64\Mhiabbdi.exe
        
        C:\Windows\system32\Mhiabbdi.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\Mkgmoncl.exe
        
        C:\Windows\system32\Mkgmoncl.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2240
        
        C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        70⤵
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Mhknhabf.exe
        
        C:\Windows\system32\Mhknhabf.exe
        72⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Mlgjhp32.exe
        
        C:\Windows\system32\Mlgjhp32.exe
        73⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Mepnaf32.exe
        
        C:\Windows\system32\Mepnaf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        80⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Mllccpfj.exe
        
        C:\Windows\system32\Mllccpfj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        95⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        96⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        100⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        105⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        110⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        116⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        118⤵
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2728
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        122⤵
        
        PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4464,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:8
1⤵
PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amhdmi32.exe

Filesize
80KB

MD5
22e76e74a82815040e0c26be6d656924

SHA1
a306957a1d59f68f3bc17008c8237d1e432f3663

SHA256
75c6c5ea8b063334b890dcdd8adcb981a0aa4999c70d97c589de17becd033d15

SHA512
0a76087492805badfa283aa9a82de29ffcc126d29d2c65c147036335257c305ff7066404dbcf49d730782bbb154cc4f95f048e76968674123094a947130f42ab

Download Submit
C:\Windows\SysWOW64\Ibdplaho.exe

Filesize
80KB

MD5
4d73bed77f20bba3ab061f6d2fc03ebf

SHA1
83eda1f9b9b71e9b6a5944592ebb4fe295f03d59

SHA256
b29b725ea939f80af2f04297247119dbb2b3cb32656c985b18e37d39fb2d983a

SHA512
726604ad7bb9c6039a868007be12646e6a2c0d0693ec6a4c33c74cd7e3df4f0d325fda23baa8fe21fad8f437a84c26ea2c65aadc0225bfc0052fc38b1f3842cc

Download Submit
C:\Windows\SysWOW64\Idhiii32.exe

Filesize
80KB

MD5
c833cb4e0ae2b50abe58281354a29d65

SHA1
7a7c3fa32ed23dc594b02a736b2b6604a1b1e31a

SHA256
abf69a9ade8e46566c7fbaebb77bfe139b7e9b06304b36bf01fed4b3abbc90f8

SHA512
22da097a5084e0fb4cde2d10ffae5fe06cc1470242222bbd8aeaf6caa3222705f796dcd909847deb6add3844dd5d498f5ba46a3ebc1d7feaf854cae414279ed3

Download Submit
C:\Windows\SysWOW64\Iecmhlhb.exe

Filesize
80KB

MD5
9399aa0c8728f2ec52ce1342a616c105

SHA1
6f474d79b4682146aa988833c5806d5565b4a7dd

SHA256
32d56b9b075f61aeb84e4f904fb3f17357f809fa27497f66330d9a3f6d09902c

SHA512
9f90ad0f115421e2a72c3c884f94bd7d1d54dae0be8c6f76c4289b73cc2c26e69b9c7577d0b354a03119a9fa4b84ea043f7df84abfb7785b677dca4548a030c8

Download Submit
C:\Windows\SysWOW64\Ihaidhgf.exe

Filesize
80KB

MD5
b450ea14a7a85a6b58cae91136510118

SHA1
a6622077c1a6dfe485eedca5f844809f80bc9d76

SHA256
e02e702555cb9146f0192ec59f5884b77324903614966fac4630113ccd1763a3

SHA512
d560c5f5f925bc54e3f0a6fa5f7bdddfd63e64c37ed21c2b373dfe27023afa27697168ee8e4d5c6c41f1871cd213fb44ad438542dcaa5605bd3277ca25cc7f02

Download Submit
C:\Windows\SysWOW64\Iholohii.exe

Filesize
80KB

MD5
eaf4fbfb777ca797b94f906de36d0cf4

SHA1
9719efc2fa72f462c75ebd3ba5b57eb738b80942

SHA256
3a62f587b498719dcc2116d49112aaf2b4570eae77e75ef5bcaefd1c784149f6

SHA512
5f2dfc1f3a32d2506d557be547f7c799106d0f37ad8055a232dbfb92d8f40022c2dc3a9dccf4a46f4dda204c9be1f944da9b509e618671af314e9e08a4e78e34

Download Submit
C:\Windows\SysWOW64\Ijbbfc32.exe

Filesize
80KB

MD5
c10d4ec3b397545fbea7b004414be936

SHA1
da095bdd91139e79c35080a54dd0605c1f1dd325

SHA256
37ba0d31e334bd85a09822cef09b68d3918ea0722ce0145028ec3944c1108982

SHA512
fc52c814c108c4fb785bf42043e66f214d4695b791f2403795d1d77e266495bb547ec291e215756a4f23d7de47a60399104725f5f2a0902fb2da563bcfd2b721

Download Submit
C:\Windows\SysWOW64\Ijpepcfj.exe

Filesize
80KB

MD5
2a8a89310c6684321a507d34bffff49d

SHA1
764684993f38024e4076c1a6a6d0de5edc14585f

SHA256
eaceada553be74b0e5e1a8bb16d1ae0b834c3b2439d5974ce2cb77988afee5a4

SHA512
1c33dfece78c42b64b41ba0dcf4cc7c293c4687802a43e698a80ad6d1b7917e68939d84b80bfa5c0d5869a50874043055171a4a36140bc42a610035d7430676c

Download Submit
C:\Windows\SysWOW64\Jaljbmkd.exe

Filesize
80KB

MD5
f879f68afc3976442246533297727c4b

SHA1
6bdd5506c4c56880db6bacd5ee84c91ca498bdc8

SHA256
925701f322d91aaf3d1379c6abd294f7c58bd67fdff667724abd3a6fafc6861f

SHA512
63f053fbb58d6b0e42e2f1660ed8047a838d4672fcf3d8a4e996aad8d8f6921d11784d3d1c350dc29f1731c52d312999bcb2b76ac7d55d99f9c20b73bb08d197

Download Submit
C:\Windows\SysWOW64\Jaqcnl32.exe

Filesize
80KB

MD5
4943ba38f6ebed49d52b0d18685ab735

SHA1
4e97f3bebb70f68b92cc65b4adca8eb194696da0

SHA256
ac895e5fcb87a69e9009a6811d8f70f1f86e6a8ea5952ed068d7d169e77b2f28

SHA512
82963f552e0e3dfa07cb888ba9e166fc0f520b2be64ee66106bfa1fd0b8ffd3d0a13c3cf18dbf7cf55de8c7937996530db5f9e01d8c8cb014fea465a4806e2fb

Download Submit
C:\Windows\SysWOW64\Jblflp32.exe

Filesize
80KB

MD5
6d4ae23417af52717261b6dbea9ceaaf

SHA1
569b3e9b969908d95378f7a4905d94ebb23b32e7

SHA256
8359ddb962283015a88510930019de22fa81664702795007e64c5dddf02d28ce

SHA512
fc75ddb5fddacc48ba80c352f5958a1e5bfe280876050297ae035bcfae04e88bce4362444f7a888157454f0449388472702477e67081652eac528e605dcc0aed

Download Submit
C:\Windows\SysWOW64\Jddiegbm.exe

Filesize
80KB

MD5
2bd2fef1758a39066c2ced157e835a3e

SHA1
924b41999617acfb4ebd2e156fd6a0056052ecc2

SHA256
5ef47550d36014419830357389f71470ee1e44f7a1c98481635e14504a04dfdd

SHA512
754f94d4786132902c50ce56cdcef904ea785f19a8e71e818280902153b0d3725f9b420fe806ff88e54839333bd479dae0144b302c0dd1f7665ab13de4470fcb

Download Submit
C:\Windows\SysWOW64\Jeolckne.exe

Filesize
80KB

MD5
1df558e017b5ed95d3862e233d563274

SHA1
4cc923b804ac412ca22b9efefdafb6c70481b167

SHA256
b80f7babe61af5bfa18d124128f773384e9569bacc902bbae9cd3f03eb0c0c5c

SHA512
c51583fa6f9e7b4d13e1307390bc96ef34c0c7babc6202c0c27a67a5a708440a5ed45c480c69bb9e8dd133c3db3ba899b8d1aa884f8480fca40ea230f1dc92ef

Download Submit
C:\Windows\SysWOW64\Jhhodg32.exe

Filesize
80KB

MD5
ab083c997381c3286c292794f278b96a

SHA1
694b4070f49aff24560f628760535b3f3c2570b6

SHA256
d42c0e0ede40b90d23af957034ce052193f968cd662eba9eb420ec0f8671811a

SHA512
9cf86e6c168afb6119e88f64ac2f00da69259bda8fea7190333f1910f03e518dbdba6c96080c78040e358f1cfb286aacb7079aa25cb4f9d3e83b2f5e2ae5bcb1

Download Submit
C:\Windows\SysWOW64\Jhmhpfmi.exe

Filesize
80KB

MD5
dba41fe80540446b99d4325cd5bc864d

SHA1
83de8a68c4fc61eb06800d2f40e79cdec5491065

SHA256
683ff41626c7652cfa855d0603150367607a1e305ce8a780ce1d1c8bf3159bd9

SHA512
e5c4ba5db7f6e9386b615661123e5632d33da262cca9cca3340ea6277c7e0d654d93c3c659eceb6f9032576c72146afeddfbe1b857eb221409b665df9af0bff2

Download Submit
C:\Windows\SysWOW64\Jlanpfkj.exe

Filesize
80KB

MD5
f875894f7856a3a8977052696ba3f907

SHA1
ce2137e3e577a6932506a9e905dc51f4ba4cbd25

SHA256
aca6c8ffe2c7f93fafbb5f1be0a3b1d1feafa80060a4f12122b977d1b24e55f6

SHA512
dbbe01a4d74d9e26acec54963e36a2f8fa017f7556465d596caff9b0a37cd36d52e7e34f1befe60ef45eebb99c637765ce1b0630f4796082d00a36302857e34f

Download Submit
C:\Windows\SysWOW64\Jnedgq32.exe

Filesize
80KB

MD5
d91fa855daa275fc5afd02addc7ce6a7

SHA1
bc11c5380d06d9c93c0ef3e368ab5a760dd65b4f

SHA256
e3128ca403e1dbd323bc8519697857b4b50a5efb0c53111a5c09f758d6bb5ae5

SHA512
c8249ad50afb1eb1d256533a831e1cda2153a8842b0ced27a7eaac6b656ba52a0bb892b8c1f45faec4dafbd55f26e091e2e9b808effc2aa824e1bb6bf73cb788

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe

Filesize
80KB

MD5
2edf788fa29ff4b66c170b1b62db24cf

SHA1
77534ea38562294222f13e7624f9812f43400923

SHA256
189a76dd3ac696926b2222112f11320390d57f13e688e83ef5cd6f6042cac600

SHA512
d0ae13f7dc0b31353461e261ea890e4f289e1714df5c7eddde5bc2131333683de5891125cf5fb55e8d9aa8caf169c774707af6c258f0c070575f0a7c3fe367b4

Download Submit
C:\Windows\SysWOW64\Kblpcndd.exe

Filesize
80KB

MD5
975399d70e0fa97bcfbd3425c9ced806

SHA1
545b979ad8264f9e9beedb647b3ac4f865138eac

SHA256
1d43dcb0c64e2dd47d7bdd8d82179a460484e66fe214695a95d7cf650f73554c

SHA512
8e373ef0db55edf3a2e4947c3db7e9cd80b0d9e50bb93148326d340a7ac76363894bb3cff61a5f6b5c0b51d0a907e11216bd90afbde1af0f0158cc8a24c926f9

Download Submit
C:\Windows\SysWOW64\Kbnlim32.exe

Filesize
80KB

MD5
0824d49fb7fb19ba423eea6accd4d92a

SHA1
ad34fc0910e767cd04ee6509994053c18d64af8f

SHA256
e0be881f38cbcd096ec773ee1397dc87dd95c67f17c7a5e6e0d69df5f24d18a7

SHA512
fb49c6e6d69be21aed242c0f819baec342d4c3e285da0c76dc6bcd26e29bb7ba4314baa61f56e87d6a40246539ca507c558502d4cbdc155068e0877328059dc8

Download Submit
C:\Windows\SysWOW64\Kdhbpf32.exe

Filesize
80KB

MD5
a09706a7fb50bd15f258867af11233d5

SHA1
4f7fd2c9b657a27a719e2a43e2e7508f03af4d65

SHA256
ead8d15b8d9af10d1742b8bd97229259e9835d09bf315dc004beaf78806ce0d2

SHA512
04cbc170c758848941f1fd6016e9b526b8229e73df6268943a71877b6788385f2d2fe0500ebd1d299333c490cb80054f50396f0da2ab41b55c683e59093662de

Download Submit
C:\Windows\SysWOW64\Keceoj32.exe

Filesize
80KB

MD5
f94ab2706a43b5ee047d201086c9c95a

SHA1
46fb3a36da9ae2934a1e6750dce69271d8a782f1

SHA256
1bc170c25ace0b4b687dc9af6d7097ad2aeffd897f762901b5b0d4c9fdc7c682

SHA512
7bd07a96bbe536aa718d3b5930d083d81e7f797177fb9844ded625eb0fb525922fa2d97435929d6a2abae847ae400006be22bfd5d2066fdf7513924c8acf7228

Download Submit
C:\Windows\SysWOW64\Kejloi32.exe

Filesize
80KB

MD5
b94841e7bee372151cd95364a0696b1a

SHA1
ef1ded482d67c32a95765c3c92209b6f5746ed82

SHA256
a93563c42c2fc49411e2013434058da3765fe8bc7a00ba2bb361118464faa38a

SHA512
71e3f9205c32b5bdda1b34cac0e617f1a58295c5ef55f690cbabbdd601794c0941ad1be0905118c59fd6d395e090e0b957bb1be7c654a06a60d9747ff36785db

Download Submit
C:\Windows\SysWOW64\Kemhei32.exe

Filesize
80KB

MD5
3af2577f02536b19805364edbfb8bdf7

SHA1
03175d2f2d6526c21f08cb9353dc1004b51b9afb

SHA256
9a24d2520409aff99eed8c57bad7fcd67fa945267aa0ad4cea8ef343168ddd53

SHA512
cc1d5ad2eb47d677a633d279c07c9cd753b7f1b77ae8d1f9f67f62982d100d68108b7d6a765b7965bf1601c055c51c54f254cd9bb0865db123f3147f208a2346

Download Submit
C:\Windows\SysWOW64\Khihld32.exe

Filesize
80KB

MD5
74a1042a9a416399a1527b63fd001c04

SHA1
3f8aa8a81d35d495f8cc5916fd9a2f8ad0e9db5a

SHA256
2cc402b1cf2d55720668e9ddb1c5535bf1331cd0da23b7878f7b6019b97b2ada

SHA512
2157a492d6e8b6d840c8be0b4f998d2002610c04815fdc3b91fa520fddf3304741ad302f54d7406bcd7feafef28ac31e23fe217c94d2d0d537b0e85d97b9ede2

Download Submit
C:\Windows\SysWOW64\Kkgdhp32.exe

Filesize
80KB

MD5
b025391ae86d1121e57c3c741e7ef84a

SHA1
7bb41407e18a712499c002f306daa8e92fc20b3e

SHA256
e29b466a6d59e1ce883ea62897033b03d6a07d5f0ebf35a3fb2bb18c4dd1660f

SHA512
d3188f73b0129490225c0dd69eeef6f3f08638d1e404ee07ff2380ea1399410ddbbaf8657ad1d5127baf62295bd5d22f3e4815375a88eaf5882f8513db8e8fd4

Download Submit
C:\Windows\SysWOW64\Kkpnga32.exe

Filesize
80KB

MD5
8dd1d15b710c90817d714ec097712fe1

SHA1
7429d8bf5251d7945dc525e844bf675505ae6d09

SHA256
84ef54a0498646b8c2dad0d4fa85f7ddac933a5afcdb2053ab71c899bfca3d7b

SHA512
a28985cca5049174b0499195801e6b22b49c2f34bbbccbca38440557b299267abfd24a19d0a5c43cc1a0cb46c0528fad13041b533d6281d78f26d12b54fd7b1b

Download Submit
C:\Windows\SysWOW64\Klbgfc32.exe

Filesize
80KB

MD5
e4c9c5f19a0e2ab1dbcdd972e4ded235

SHA1
a4ca9eb54f15d486c3837cbb2d971116ac31b3e8

SHA256
07033c46481206c31713e835a1b21c92f61a8c3c947d9bdb4299d8e42d7b3be2

SHA512
586c49bf2b494acdf83725c17311811ab453ed11908615fc37c328176606b7a29b98c525298bd2ffec46e745f4fe37862376df60b72744b01d0e1459729cd078

Download Submit
C:\Windows\SysWOW64\Klddlckd.exe

Filesize
80KB

MD5
f13d3c3bdd673835d6d4ef4a09192b6f

SHA1
91002f00d3b83688056d601a24cdf8e23503257c

SHA256
bbc653a43f9a1519033d14b94d3b53aaa4b6ebbc9cbbd3ec0aa8f46fec3dde43

SHA512
f57b33954c0a816782a66de608cb54ecb9cfb4fab01c5e3cf9ed6e6b8fda1a47053b89a53b1df34803a912f3301c1d2d972879928f77cdd421b541dd0b409cad

Download Submit
C:\Windows\SysWOW64\Klgqabib.exe

Filesize
80KB

MD5
526bde74cee0dd65b094a647b31c2a90

SHA1
3d219f2b4db4fb5c2b6bf7f6352f5cf254f81825

SHA256
3703c3642f2feb84bb55b1c97b903a974523d299ab16164a6d025fae610bfce0

SHA512
f8ebd303a115da49603f2551e4cff3ef83bc1e49957f312c5b4a7c7ffc8d3bbaf3ab577c84eb56b2bea127690e98c0d5206d5580eb671d3d40a8f0113ee381f0

Download Submit
C:\Windows\SysWOW64\Lacijjgi.exe

Filesize
80KB

MD5
e7533b1bb65e9bb5b7284c6b6b3a7371

SHA1
38d57b4f38fbeed1f9ac70ebdad31e09c4291c62

SHA256
a1122a8a382b114bfd9ce2b28c9eecc2de9fc03eb44c5f564b056a6b004592ec

SHA512
4083f79821cc213b84c87e422e756ce4073ae26d49cf3e5750d27007ff4a575be6107b616de0f4460d5b222e6ba11b79abefee113918775dbb67c2f39784c9dc

Download Submit
C:\Windows\SysWOW64\Lkiamp32.exe

Filesize
80KB

MD5
773fe75b5845a21163c1d6a3f15286e6

SHA1
07d67ba27b90a89de302794c8517ad2b32b252d0

SHA256
f492f70e55885a5130cf30b8ff3a899a053505ddfc44f0b7ee79f96018e35674

SHA512
027cdd53d5ebba635ac01792036bf0eb8840951130b6c67e009f888243af2f940bdbf1288ef81644f28aa9b37c20b4192b56c11bbe5f587c3e8748e03c98c15b

Download Submit
C:\Windows\SysWOW64\Loemnnhe.exe

Filesize
80KB

MD5
fbafa5da92c4f82eec9e9ee55ed21106

SHA1
8d80ef97727e7222bdbbf52b95d1c8a0a9cc6914

SHA256
c6b25370df3d2bfd09170f2bf8f447d904019f05011ad2a9023c4e989a5b5ba5

SHA512
d938e77cedd40657f8ce1c3b5cc6790c4424ea4a69bc4dd0b51d0844efccc473ccc9f46d1900eeda63ef6b9db109a5c97df0f3652e36f0883f6ccdb346bc1eb9

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
80KB

MD5
8d4f5d839e36eb253fee777d8550e05c

SHA1
61145ea9d30329516b2717caaf1721e79c040730

SHA256
56bd76a5d5b551846ab06a7fe085457428efc8b91a396544d50064903508a060

SHA512
d61f2a9bfcd92b334638520ccde1099a68b753d568e01c57720b8b9331ec1cf34f8ca1c8d7b0a891a1bde397b2003aa3dc67ae79b0ba27cd503088e4ad77b52b

Download Submit
C:\Windows\SysWOW64\Pcijce32.exe

Filesize
80KB

MD5
0d85c281a1f5f9e645b4c34ab5e19c32

SHA1
ad9b977f4951cd4eb8a26d2326f584560c18c14b

SHA256
e9412c9bad0f80ee5c284d09b1838d6c5c932ba49dc77f2e0ae3a403614400e9

SHA512
ffe21962da0e2decbde8ffd39e2b1c46190bb2c037166e74d5e3c7e4a99ec2f6b29d93b42f52e355a9a9b025cb003923bad1e2e4b446d18d8ba7c30c9eadd313

Download Submit
C:\Windows\SysWOW64\Pfbmdabh.exe

Filesize
80KB

MD5
0c8777ab8c897bc1a6281ff66d6f23f1

SHA1
aa0c664f6324c4c201c0d86e00df8fdd02122250

SHA256
d4b9fe7a314cc2f9ec51fbca5f367d1614f7b9c04d2d5ef0872064d8ef12d207

SHA512
cf364f5561dae795ef1ec97f702590e9d9587c43de59a625c6ea75dc073bcea32c8fc4a87d3a2a03ad050aedf7d2115122e65ce5158c4e8f426a067332c1f107

Download Submit
C:\Windows\SysWOW64\Qelcamcj.exe

Filesize
80KB

MD5
a590aff53ca07a4da8b5b7473d95f4eb

SHA1
183c57eedf5e1d967f4670470aedeb6233b85d70

SHA256
e7b096c32cc6ee03e3ca9a74bd5f4d4b815378ba16cab25a5a35edfdca5036f1

SHA512
da14814a74d5db1fb14e611a70c90064d742d5c3fca15adc109b505e1728cf51aa4446fbbca9d1a47a9631648ee43eafa0b8e8a74d39db02ef6445458fbc5464

Download Submit
memory/228-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/372-463-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/456-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/456-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/464-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/512-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/512-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/652-458-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/764-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/848-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/884-476-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/896-373-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1112-415-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1180-487-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1300-385-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1532-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1532-219-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1564-481-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1576-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1576-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1604-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1848-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1848-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1936-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2028-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2028-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2072-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2104-452-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-325-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2240-499-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2264-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2348-409-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2384-518-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2496-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2496-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2604-512-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2664-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2664-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2664-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2784-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2784-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2800-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2844-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2852-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2852-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2888-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2928-469-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3004-367-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3028-506-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3120-428-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3132-392-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3212-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3212-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3224-228-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3224-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3256-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3268-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3300-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3300-210-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3316-397-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3348-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3348-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3388-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3388-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3396-440-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3464-421-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3496-445-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3520-211-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3624-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3652-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3660-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3660-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3672-265-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3704-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3852-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3852-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3924-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3924-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3996-264-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3996-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4088-331-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4336-238-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4336-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4388-379-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4464-524-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4748-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-494-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4780-337-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4840-198-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4840-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4872-115-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4872-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-355-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5068-433-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads