2b6160b66405385d5d51d75797ca7ae758aaedf5c64e5399cda89dcaf3c68c32

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b6160b66405385d5d51d75797ca7ae758aaedf5c64e5399cda89dcaf3c68c32N.exe
Size

188KB
MD5

f1ba0139c4bc2b71610f3f17a528a140
SHA1

a57440de2b36439ace5a432b9770a8ce9917fcf0
SHA256

2b6160b66405385d5d51d75797ca7ae758aaedf5c64e5399cda89dcaf3c68c32
SHA512

9c6b2f42113d1cf35297027b728a7f67b526d1cb2135b17cc978db8d15dcb50bcf5d66bcc26be952a056387b98389587f657e734bbcb132e7a471f5261437379
SSDEEP

3072:4KY0wjDkQpQVhuZRWj1AerDtsr3vhqhEN4MAH+mbPepZBC8qzNJSKrDco:48w/hpnWj1AelhEN4MujGJoSoDco

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pokanf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mebkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Leoejh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Podkmgop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnpjlajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlemcq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	2b6160b66405385d5d51d75797ca7ae758aaedf5c64e5399cda89dcaf3c68c32N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhlfoodc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nooikj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbnbemf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odedipge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbngeadf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moalil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mebkge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akihcfid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnnnfalp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkapelka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihceigec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moalil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooangh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akihcfid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilkhog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlefjnno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oljoen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkcmjlio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcdhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khdoqefq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhdggb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlifnphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nooikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndnnianm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leoejh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Napameoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjihfbno.exe

Executes dropped EXE 64 IoCs

pid	Process
4668	Ilkhog32.exe
2604	Iecmhlhb.exe
2728	Inkaqb32.exe
3436	Ihceigec.exe
1540	Jnnnfalp.exe
2312	Jhfbog32.exe
4752	Jnpjlajn.exe
1768	Jdmcdhhe.exe
2344	Jelonkph.exe
1172	Jjihfbno.exe
2884	Jhmhpfmi.exe
1088	Jeaiij32.exe
4900	Kbeibo32.exe
3256	Khdoqefq.exe
4988	Kalcik32.exe
1224	Kkegbpca.exe
3216	Klddlckd.exe
2804	Klgqabib.exe
8	Leoejh32.exe
1192	Lbcedmnl.exe
4640	Lknjhokg.exe
2628	Ldfoad32.exe
3496	Lbhool32.exe
3888	Lhdggb32.exe
2104	Lehhqg32.exe
812	Moalil32.exe
4792	Mlemcq32.exe
4412	Memalfcb.exe
620	Moefdljc.exe
836	Mlifnphl.exe
1388	Mebkge32.exe
3132	Mojopk32.exe
3896	Mdghhb32.exe
5020	Nkapelka.exe
4392	Nakhaf32.exe
936	Nheqnpjk.exe
2792	Nkcmjlio.exe
212	Nooikj32.exe
3648	Nfiagd32.exe
3464	Nhgmcp32.exe
1356	Nkeipk32.exe
1608	Napameoi.exe
2168	Ndnnianm.exe
1188	Nlefjnno.exe
220	Nbbnbemf.exe
2408	Nhlfoodc.exe
1760	Oljoen32.exe
448	Odedipge.exe
624	Okailj32.exe
4828	Ofgmib32.exe
2212	Ocknbglo.exe
1424	Ooangh32.exe
2848	Oflfdbip.exe
4480	Podkmgop.exe
1504	Pfncia32.exe
3328	Pkklbh32.exe
1564	Pbddobla.exe
4704	Pmjhlklg.exe
4376	Pcdqhecd.exe
3224	Pmmeak32.exe
792	Pokanf32.exe
3928	Piceflpi.exe
636	Pcijce32.exe
1508	Qejfkmem.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mjicah32.dll	Lehhqg32.exe
File created	C:\Windows\SysWOW64\Bhejfl32.dll	Mebkge32.exe
File created	C:\Windows\SysWOW64\Nkcmjlio.exe	Nheqnpjk.exe
File created	C:\Windows\SysWOW64\Pbddobla.exe	Pkklbh32.exe
File created	C:\Windows\SysWOW64\Jhfbog32.exe	Jnnnfalp.exe
File opened for modification	C:\Windows\SysWOW64\Klddlckd.exe	Kkegbpca.exe
File created	C:\Windows\SysWOW64\Mojopk32.exe	Mebkge32.exe
File created	C:\Windows\SysWOW64\Oflfdbip.exe	Ooangh32.exe
File opened for modification	C:\Windows\SysWOW64\Jhfbog32.exe	Jnnnfalp.exe
File opened for modification	C:\Windows\SysWOW64\Lehhqg32.exe	Lhdggb32.exe
File created	C:\Windows\SysWOW64\Mbdpdane.dll	Lhdggb32.exe
File created	C:\Windows\SysWOW64\Alinebli.dll	Lbhool32.exe
File created	C:\Windows\SysWOW64\Bqpqlhmf.dll	Oflfdbip.exe
File opened for modification	C:\Windows\SysWOW64\Kkegbpca.exe	Kalcik32.exe
File created	C:\Windows\SysWOW64\Mebkge32.exe	Mlifnphl.exe
File created	C:\Windows\SysWOW64\Kpdejagg.dll	Nheqnpjk.exe
File created	C:\Windows\SysWOW64\Pmbpeafn.dll	Khdoqefq.exe
File opened for modification	C:\Windows\SysWOW64\Nfiagd32.exe	Nooikj32.exe
File created	C:\Windows\SysWOW64\Pmmeak32.exe	Pcdqhecd.exe
File created	C:\Windows\SysWOW64\Aannbg32.dll	Jnpjlajn.exe
File created	C:\Windows\SysWOW64\Jjihfbno.exe	Jelonkph.exe
File created	C:\Windows\SysWOW64\Ichnpf32.dll	Klgqabib.exe
File created	C:\Windows\SysWOW64\Moefdljc.exe	Memalfcb.exe
File created	C:\Windows\SysWOW64\Pcdqhecd.exe	Pmjhlklg.exe
File created	C:\Windows\SysWOW64\Hiocnbpm.dll	Inkaqb32.exe
File created	C:\Windows\SysWOW64\Napameoi.exe	Nkeipk32.exe
File opened for modification	C:\Windows\SysWOW64\Ooangh32.exe	Ocknbglo.exe
File opened for modification	C:\Windows\SysWOW64\Pkklbh32.exe	Pfncia32.exe
File created	C:\Windows\SysWOW64\Haafdi32.dll	Piceflpi.exe
File opened for modification	C:\Windows\SysWOW64\Mdghhb32.exe	Mojopk32.exe
File created	C:\Windows\SysWOW64\Nhlfoodc.exe	Nbbnbemf.exe
File created	C:\Windows\SysWOW64\Pgoikbje.dll	Okailj32.exe
File created	C:\Windows\SysWOW64\Fbbojb32.dll	Kalcik32.exe
File created	C:\Windows\SysWOW64\Lhdggb32.exe	Lbhool32.exe
File opened for modification	C:\Windows\SysWOW64\Ofgmib32.exe	Okailj32.exe
File opened for modification	C:\Windows\SysWOW64\Pcdqhecd.exe	Pmjhlklg.exe
File created	C:\Windows\SysWOW64\Piceflpi.exe	Pokanf32.exe
File created	C:\Windows\SysWOW64\Conllp32.dll	Pcijce32.exe
File opened for modification	C:\Windows\SysWOW64\Akihcfid.exe	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Pmjhlklg.exe	Pbddobla.exe
File opened for modification	C:\Windows\SysWOW64\Inkaqb32.exe	Iecmhlhb.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcdhhe.exe	Jnpjlajn.exe
File opened for modification	C:\Windows\SysWOW64\Kalcik32.exe	Khdoqefq.exe
File created	C:\Windows\SysWOW64\Lbcedmnl.exe	Leoejh32.exe
File opened for modification	C:\Windows\SysWOW64\Lbcedmnl.exe	Leoejh32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjhokg.exe	Lbcedmnl.exe
File created	C:\Windows\SysWOW64\Pceijm32.dll	Jhmhpfmi.exe
File opened for modification	C:\Windows\SysWOW64\Khdoqefq.exe	Kbeibo32.exe
File opened for modification	C:\Windows\SysWOW64\Mlemcq32.exe	Moalil32.exe
File created	C:\Windows\SysWOW64\Ocknbglo.exe	Ofgmib32.exe
File created	C:\Windows\SysWOW64\Okahhpqj.dll	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Fhjaco32.dll	Ldfoad32.exe
File opened for modification	C:\Windows\SysWOW64\Pfncia32.exe	Podkmgop.exe
File opened for modification	C:\Windows\SysWOW64\Qejfkmem.exe	Pcijce32.exe
File created	C:\Windows\SysWOW64\Gdqeooaa.dll	Jjihfbno.exe
File created	C:\Windows\SysWOW64\Lknjhokg.exe	Lbcedmnl.exe
File created	C:\Windows\SysWOW64\Jfbnnelf.dll	Nkcmjlio.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeak32.exe	Pcdqhecd.exe
File created	C:\Windows\SysWOW64\Iilpao32.dll	Qbngeadf.exe
File created	C:\Windows\SysWOW64\Nfoceoni.dll	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Amhdmi32.exe	Abcppq32.exe
File opened for modification	C:\Windows\SysWOW64\Iecmhlhb.exe	Ilkhog32.exe
File created	C:\Windows\SysWOW64\Jnpjlajn.exe	Jhfbog32.exe
File created	C:\Windows\SysWOW64\Ipiddlhk.dll	Nkapelka.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inkaqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhfbog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odedipge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfncia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhmhpfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqabib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfiagd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhgmcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b6160b66405385d5d51d75797ca7ae758aaedf5c64e5399cda89dcaf3c68c32N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhdggb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moefdljc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbnbemf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkhfec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilkhog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lehhqg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkeipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooangh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podkmgop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jelonkph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khdoqefq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nakhaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefjnno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjhlklg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iecmhlhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moalil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhlfoodc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqhecd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qejfkmem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihceigec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Memalfcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkapelka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akihcfid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjihfbno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kalcik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkcmjlio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnnnfalp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okailj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkegbpca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leoejh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nheqnpjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nooikj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnpjlajn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdmcdhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeibo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknjhokg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlifnphl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mebkge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Napameoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnnianm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbcedmnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldfoad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocknbglo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbdpdane.dll"	Lhdggb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kialcj32.dll"	Pokanf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhbfe32.dll"	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmmnbnl.dll"	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapchaef.dll"	Jnnnfalp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mebkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipiddlhk.dll"	Nkapelka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbnnelf.dll"	Nkcmjlio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	2b6160b66405385d5d51d75797ca7ae758aaedf5c64e5399cda89dcaf3c68c32N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klddlckd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceijm32.dll"	Jhmhpfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcgjl32.dll"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklociap.dll"	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbikenl.dll"	Ooangh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnpjlajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqcco32.dll"	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbfndd32.dll"	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alinebli.dll"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkapelka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqkbjk32.dll"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Moefdljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nheqnpjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqpqlhmf.dll"	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbojb32.dll"	Kalcik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhlfoodc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdmcdhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcboj32.dll"	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iecmhlhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jnnnfalp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mebkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgfaf32.dll"	Nfiagd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndnnianm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlefjnno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfncia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akihcfid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2b6160b66405385d5d51d75797ca7ae758aaedf5c64e5399cda89dcaf3c68c32N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klgqabib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkcmjlio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcdqhecd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkcmjlio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ooangh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 4668	2516	2b6160b66405385d5d51d75797ca7ae758aaedf5c64e5399cda89dcaf3c68c32N.exe	89
PID 2516 wrote to memory of 4668	2516	2b6160b66405385d5d51d75797ca7ae758aaedf5c64e5399cda89dcaf3c68c32N.exe	89
PID 2516 wrote to memory of 4668	2516	2b6160b66405385d5d51d75797ca7ae758aaedf5c64e5399cda89dcaf3c68c32N.exe	89
PID 4668 wrote to memory of 2604	4668	Ilkhog32.exe	90
PID 4668 wrote to memory of 2604	4668	Ilkhog32.exe	90
PID 4668 wrote to memory of 2604	4668	Ilkhog32.exe	90
PID 2604 wrote to memory of 2728	2604	Iecmhlhb.exe	91
PID 2604 wrote to memory of 2728	2604	Iecmhlhb.exe	91
PID 2604 wrote to memory of 2728	2604	Iecmhlhb.exe	91
PID 2728 wrote to memory of 3436	2728	Inkaqb32.exe	92
PID 2728 wrote to memory of 3436	2728	Inkaqb32.exe	92
PID 2728 wrote to memory of 3436	2728	Inkaqb32.exe	92
PID 3436 wrote to memory of 1540	3436	Ihceigec.exe	93
PID 3436 wrote to memory of 1540	3436	Ihceigec.exe	93
PID 3436 wrote to memory of 1540	3436	Ihceigec.exe	93
PID 1540 wrote to memory of 2312	1540	Jnnnfalp.exe	94
PID 1540 wrote to memory of 2312	1540	Jnnnfalp.exe	94
PID 1540 wrote to memory of 2312	1540	Jnnnfalp.exe	94
PID 2312 wrote to memory of 4752	2312	Jhfbog32.exe	95
PID 2312 wrote to memory of 4752	2312	Jhfbog32.exe	95
PID 2312 wrote to memory of 4752	2312	Jhfbog32.exe	95
PID 4752 wrote to memory of 1768	4752	Jnpjlajn.exe	96
PID 4752 wrote to memory of 1768	4752	Jnpjlajn.exe	96
PID 4752 wrote to memory of 1768	4752	Jnpjlajn.exe	96
PID 1768 wrote to memory of 2344	1768	Jdmcdhhe.exe	97
PID 1768 wrote to memory of 2344	1768	Jdmcdhhe.exe	97
PID 1768 wrote to memory of 2344	1768	Jdmcdhhe.exe	97
PID 2344 wrote to memory of 1172	2344	Jelonkph.exe	98
PID 2344 wrote to memory of 1172	2344	Jelonkph.exe	98
PID 2344 wrote to memory of 1172	2344	Jelonkph.exe	98
PID 1172 wrote to memory of 2884	1172	Jjihfbno.exe	99
PID 1172 wrote to memory of 2884	1172	Jjihfbno.exe	99
PID 1172 wrote to memory of 2884	1172	Jjihfbno.exe	99
PID 2884 wrote to memory of 1088	2884	Jhmhpfmi.exe	100
PID 2884 wrote to memory of 1088	2884	Jhmhpfmi.exe	100
PID 2884 wrote to memory of 1088	2884	Jhmhpfmi.exe	100
PID 1088 wrote to memory of 4900	1088	Jeaiij32.exe	101
PID 1088 wrote to memory of 4900	1088	Jeaiij32.exe	101
PID 1088 wrote to memory of 4900	1088	Jeaiij32.exe	101
PID 4900 wrote to memory of 3256	4900	Kbeibo32.exe	102
PID 4900 wrote to memory of 3256	4900	Kbeibo32.exe	102
PID 4900 wrote to memory of 3256	4900	Kbeibo32.exe	102
PID 3256 wrote to memory of 4988	3256	Khdoqefq.exe	103
PID 3256 wrote to memory of 4988	3256	Khdoqefq.exe	103
PID 3256 wrote to memory of 4988	3256	Khdoqefq.exe	103
PID 4988 wrote to memory of 1224	4988	Kalcik32.exe	104
PID 4988 wrote to memory of 1224	4988	Kalcik32.exe	104
PID 4988 wrote to memory of 1224	4988	Kalcik32.exe	104
PID 1224 wrote to memory of 3216	1224	Kkegbpca.exe	105
PID 1224 wrote to memory of 3216	1224	Kkegbpca.exe	105
PID 1224 wrote to memory of 3216	1224	Kkegbpca.exe	105
PID 3216 wrote to memory of 2804	3216	Klddlckd.exe	106
PID 3216 wrote to memory of 2804	3216	Klddlckd.exe	106
PID 3216 wrote to memory of 2804	3216	Klddlckd.exe	106
PID 2804 wrote to memory of 8	2804	Klgqabib.exe	107
PID 2804 wrote to memory of 8	2804	Klgqabib.exe	107
PID 2804 wrote to memory of 8	2804	Klgqabib.exe	107
PID 8 wrote to memory of 1192	8	Leoejh32.exe	108
PID 8 wrote to memory of 1192	8	Leoejh32.exe	108
PID 8 wrote to memory of 1192	8	Leoejh32.exe	108
PID 1192 wrote to memory of 4640	1192	Lbcedmnl.exe	109
PID 1192 wrote to memory of 4640	1192	Lbcedmnl.exe	109
PID 1192 wrote to memory of 4640	1192	Lbcedmnl.exe	109
PID 4640 wrote to memory of 2628	4640	Lknjhokg.exe	110

C:\Users\Admin\AppData\Local\Temp\2b6160b66405385d5d51d75797ca7ae758aaedf5c64e5399cda89dcaf3c68c32N.exe
"C:\Users\Admin\AppData\Local\Temp\2b6160b66405385d5d51d75797ca7ae758aaedf5c64e5399cda89dcaf3c68c32N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\Ilkhog32.exe
  C:\Windows\system32\Ilkhog32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\SysWOW64\Iecmhlhb.exe
    C:\Windows\system32\Iecmhlhb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\Inkaqb32.exe
      C:\Windows\system32\Inkaqb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\Ihceigec.exe
        
        C:\Windows\system32\Ihceigec.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3436
      - C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Jhfbog32.exe
        
        C:\Windows\system32\Jhfbog32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Lhdggb32.exe
        
        C:\Windows\system32\Lhdggb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Lehhqg32.exe
        
        C:\Windows\system32\Lehhqg32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\Moalil32.exe
        
        C:\Windows\system32\Moalil32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4792
        
        C:\Windows\SysWOW64\Memalfcb.exe
        
        C:\Windows\system32\Memalfcb.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Nlefjnno.exe
        
        C:\Windows\system32\Nlefjnno.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Nbbnbemf.exe
        
        C:\Windows\system32\Nbbnbemf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4224 /prefetch:8
1⤵
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iecmhlhb.exe

Filesize
188KB

MD5
a00a683856f8c4462ef9691d33519733

SHA1
9449b4a451ff7099ecb6ae8eb82ca40aa6b1dc40

SHA256
d6844b9826f5e6c0975217e4104956fd02c88668306dab924cb16c209ae1329d

SHA512
7ddc543212b94528aba39d6794e2d720379204e55e3f278b0c46c0cc768ecbab10ab42386158cc03f9076a7c883f86c89894a340ab13e7a70c51a0c8d474c8ac

Download Submit
C:\Windows\SysWOW64\Ihceigec.exe

Filesize
188KB

MD5
c73311a3bc4e23956365a2f2846780f9

SHA1
38e7c768fb1ae6aa09a4a4c5e41a7f700a5e8aab

SHA256
c86e3c64d8a08ca5c1d8275093f264a8ab2c051115ef2e96fc03092989764ddd

SHA512
26306eef2d19f69b342593eb2c406cbb7e77ad9f174c719d96c3a1cd894a33d21653733116c6fdb434932bccd384522d5836e4d07096b57b98027b59113f701c

Download Submit
C:\Windows\SysWOW64\Ilkhog32.exe

Filesize
188KB

MD5
def00fb4fad31f993b549fb4a16b7f9e

SHA1
4b13523556b825283586f9e188e1309baf59b9c3

SHA256
e7644fedfa32d6d9d7e583e36a14e3d66ab6d2a63aa03c305d4fb5238db5573c

SHA512
144e73a20d1a14c0af274f414e1fed06bd5c540b76a7a1e5e6e10f145af91d4f6de8496a74dc4a5b17eeb51279f61425a09b63a10dde77f8279ebc36f79f3566

Download Submit
C:\Windows\SysWOW64\Inkaqb32.exe

Filesize
188KB

MD5
a60f299a2c335cf9f650e39da875bb9d

SHA1
ccaf8c18995239e52c8cd5a833d6c729f46d5a75

SHA256
210924c9c0bf4c8649089db531a987e962bf7b5d57c89a2cfbef50f72f268780

SHA512
45f8122a9eff27d11fa759b837bb1309f05637c4a2f50b0b2e8e2bdd107bb627ade8bac7a7cb005c34e59313ab518bbf1f8725b7bf331a01df6a434091f96027

Download Submit
C:\Windows\SysWOW64\Jdmcdhhe.exe

Filesize
188KB

MD5
c3634e2840325f99db5338f4afb2868e

SHA1
b73d48e655008a80cdddbc3ac0197f7a12ec48db

SHA256
2f7eae3334940c0284fa1dfd776c3e519699f8e13627292959e0f0484c3bc50c

SHA512
33a7d7b0d5497233f823902f474471f2827a49feb3847bc39daeff1db5df299d8a9ad2ac22813499d4b9cf2979b61f0954ed1931fac8bbcd746bbeed4eb1a277

Download Submit
C:\Windows\SysWOW64\Jeaiij32.exe

Filesize
188KB

MD5
990b64c1dd2af801ce8be37bda51c7aa

SHA1
0b73e966c8b8961a01e83a701af852f807a17129

SHA256
13f1ce0310fd0703708e7bdf2b3c179449ed7f07e439ac01479ac41da6b644db

SHA512
d063ba3a15b648ddc86cb402247881659da11d3f6ffd0836de4889bd787de2c81a28829a1ab3be78051e89ec1a5665b2837da2d616c08305b036521bc5b73260

Download Submit
C:\Windows\SysWOW64\Jeaiij32.exe

Filesize
188KB

MD5
052518e5c21d6dd7ca254da88d7393c7

SHA1
806f31d5a32862012eebb6c0db3fbaca45500aa4

SHA256
2fcc19f0381701578eb54bd563426729790900fbcd47798f4894e864ba06e087

SHA512
494a7b2abf4c23034353eeff859674d0d4fe6dfedd26f758686a6319877585be55803d70e3055833cbec33c7057a5e7e42eddcc9ce42a0c3986529addd39783f

Download Submit
C:\Windows\SysWOW64\Jelonkph.exe

Filesize
188KB

MD5
51f6442a34a85d2c587b06fd7e642e0a

SHA1
5fc6e77dadf74fff09e49a5ac76a40bd30e9df48

SHA256
7a9c740c5f7f4205d6170caaa734e3595205ff9c070d727fe26a9824aa3f4abd

SHA512
de2450936d793cf6935a96e8b368d39ea8f348a61634a383826b7c9549593b81e01aabda2d27901dd0038a3e6aeb6f53f8d887f75e6d94e08d250c8a0dff0748

Download Submit
C:\Windows\SysWOW64\Jhfbog32.exe

Filesize
188KB

MD5
bbb7e5ba13d7079bd5627dc8ea77fed8

SHA1
8e9d56300c97f5f734c2268147345c9c454b49d2

SHA256
08e36193d367e7e1d854de4145d13834c62b7f5ed7783d04e0c5ace6533f2e35

SHA512
04a6ca7b4cc443e5e50e902ba8e17a040ffc8cbab4a563b974a86e55e308dd2edd3f6882c8c84c56767451e3690c1aee05f25a3509bc76debbe5947f5afd241e

Download Submit
C:\Windows\SysWOW64\Jhmhpfmi.exe

Filesize
188KB

MD5
ebd587023125c6f98af6a83e39cfd75c

SHA1
f92e91a92af8ee72d2a64dd00044084c50ab4cf0

SHA256
c86a71890467e4a67d724a6acd486771c9fd3435d5951b9198f9a13b4fbde6c4

SHA512
b45f76d27e008ee73da920d6763261c6638474fcaa0f9dbb649aadb02e2bea39318eaed050cd210c76804ec2d46ca97442e1323f3cd33fb6459d15fb73745902

Download Submit
C:\Windows\SysWOW64\Jjihfbno.exe

Filesize
188KB

MD5
c83196519b724226390974d1e8edf315

SHA1
a6ad6643a962294371d75711eff0d99733c8684a

SHA256
c90bf571139172b3a3356ec987457d21955950b42ad5bc4570bba1f5c60b28bb

SHA512
afbb143238b0229f440c30d82a2b9552df6773b36648caf9bab8ae8870de70afe9c880cd124bce28f16869e11edc03bc71a7a353cbfbc73667cf9ef3a7af4af6

Download Submit
C:\Windows\SysWOW64\Jnnnfalp.exe

Filesize
188KB

MD5
c30aa91e14880970984e8f4bc6b471cc

SHA1
4a4690f604e467bf1c642de3eea3da014a137519

SHA256
28e8cf3f221f9b6aaab1db08268bd1387a7861c666927f4ba8bede0e0f5cf065

SHA512
12db29facf06010270717b666ebf259222d4a7981bbdb879680d0cea24abceceb30ad87e37ead8c5b2e7f93cb0a09548260c5efd342b7d4a7a96e21ae7f57d63

Download Submit
C:\Windows\SysWOW64\Jnpjlajn.exe

Filesize
188KB

MD5
91a8bbc5d5f0790e62f5f98b1b7fba4c

SHA1
4640d5dad36e2bff033cf48ddcbcc7f62b871d93

SHA256
543a70b25e720fe1e72fc1907b85048203916441402ce32faf45712bdbedc1b2

SHA512
4b2273b4c26015cd88549152b4d8074fd2927a73112cf47ac01215f804154b7a2613db14c2fc0edb391331061d4b1ca4b74d43257623bde9d0300d259f0de9e6

Download Submit
C:\Windows\SysWOW64\Kalcik32.exe

Filesize
188KB

MD5
55b88c29d19a8093d8cd47f6ab35fc88

SHA1
f4d2e1a7980630cbfa1e0da8172b093ccdcc9fca

SHA256
ac6a4354dd30af1906eda9aed1b9dc9bdb2c53721eb21de41d26dd2bcd3385e5

SHA512
ec005dced24ac21524d9798fd3a50ccceed2fc401fd9e45d87abac49bf6e23127720505f4199740d28f093bad7a08fffdc3d11161c3d2be4ec8f2a8aac04c0cc

Download Submit
C:\Windows\SysWOW64\Kbeibo32.exe

Filesize
188KB

MD5
9902e2253fc7b47a454e8006ef55bd22

SHA1
9ff489a1861ff8de7e5e6fb9a9118dcba1676d18

SHA256
7395d5bbc5b4e6d2b385dea7773216126b78a06d9eb04c7d09ca43694a6fc017

SHA512
719425fb8716fe9887b02d508b7cfa53d14db07fceab650c2b28a91d626b6c27babc0a34ab8f44ef68ed9caf7b607555335154e7f47d626c2c83bda12af7b908

Download Submit
C:\Windows\SysWOW64\Khdoqefq.exe

Filesize
188KB

MD5
a3273e60ea5dee8a651e5ae8e9e7f6f7

SHA1
9cc3a1cee4eba57254ce56984667c7b10764cf44

SHA256
93d1f7021f8c7cb588cf6b75a228d2f827c28f3b61ef9bf3c1e4767d25c727a2

SHA512
65b9c1729f61f76df21b049918ebb7a42d51e627059474c309b6a532676248ad2e1b55865138fc430b11ee857ac4c28850058a6655e4ba8254a0e4a7a6c37727

Download Submit
C:\Windows\SysWOW64\Kkegbpca.exe

Filesize
188KB

MD5
971f060d689c83add700761b9dc0bbe2

SHA1
b8b885ec5373f853bffd353e0b18364c4e5ccc2c

SHA256
54b914d586f6522b6244971ccf0e1c0aa8b3cc4678416b28148e0ad59217b01e

SHA512
6b9e202f34424f34be7f7c60f3b874c660868ae55ad68640e1335d9f1ba83e0d70bf090547fc8053fe0a79b09ccaea65bb29b593fce0c054d04d6bd764882436

Download Submit
C:\Windows\SysWOW64\Klddlckd.exe

Filesize
188KB

MD5
7a607b4b3bd01357ea45d0f771c49c20

SHA1
25f188c420a0b79a683ff8466294a282c8a58674

SHA256
7e35bb8b85f9fffce7b3ae48427ea3869935dd316f39101ff50fc80d547565e8

SHA512
dfccf4816fd61a73ed514cbb83fc52ab7c91b8ba878364b9d80a6a27c9dde528595ea77bbbf8f334c0e6e50c21008da6d5f3042b2f0ef0054c75b1e643cbc6bc

Download Submit
C:\Windows\SysWOW64\Klgqabib.exe

Filesize
188KB

MD5
f9c12349363d80ef0e1a9676cc79bf30

SHA1
bdf76b42898ea2db3efae52ce3d3f1729ae84b2e

SHA256
49a6f272749335750bd9e675e1ba94fb12ff293f52c0b8802cc830c8759f4489

SHA512
b1b94888ff861f36ddee801909dff46dfdc0aec52776cb317c0f6fd1284bad4121e3720b3b4847704f10a2a5eb1617b1495679077073aadc318f3bc88997b502

Download Submit
C:\Windows\SysWOW64\Lbcedmnl.exe

Filesize
188KB

MD5
1bf7222bf40ebdf0002f1aaa243333d5

SHA1
36a7effd0e1fd976956195068d7cc99ea3ac068d

SHA256
a9f7d72a28d946628dd6a2c87922a0e3424afc2ea4b62658f655bd7a379b9e7a

SHA512
7399d90c1da4d8e96547ccee9b60d33a21e7cfbbc643b38b3e19db273188fe1c6d488bac4cb50ad832a4b657e6043b83447fb3d92f3d15d20dcf28a47238f729

Download Submit
C:\Windows\SysWOW64\Lbhool32.exe

Filesize
188KB

MD5
feac48663df4101a983812e1c1a25861

SHA1
8c27e89251d3d92575c896f18e99e541868a48f4

SHA256
4ff2a500816376c10dfae27e2e347de985473a774cdbaf5593e9da65f0881a3c

SHA512
c713a7bdbfbcc1cee4e0e01715b54c38ab69ea35275d8a812c7461e96e59c0d75edc5674213713e4e5d02cf8bc431b9e90116159941b470d0cdc65e89cf1147a

Download Submit
C:\Windows\SysWOW64\Ldfoad32.exe

Filesize
188KB

MD5
3288daae65fa5c078b16d8693cb8a29d

SHA1
ba580a59908f4f9a5c04c68278ef3e0e03a502d6

SHA256
bcb539338cc30cdb90ec43286e8fad0adb15e33a2c6fa5dee5132353edc20ac8

SHA512
c3d509f7dffa6f188010d500b0b261842d0f5829e4f0794c2e33438684ba5d0275871e6b50439853277fa470d28586a2d31629580e6accb9e847a921c2cac0a6

Download Submit
C:\Windows\SysWOW64\Lehhqg32.exe

Filesize
128KB

MD5
b1d307c0dfd72b5336cd455dd2fdd92d

SHA1
12d3aea798435364e091ee5784cc2f01fd0bc3fe

SHA256
8c91ce3df30b0fc003a90984d03ef06bf53de69b689377bacb3bf74ee10080f7

SHA512
1088b90c6fdf2f99747ada68fafb1b0bf56c80c9ed92b0fe5e065d1bbcd5c640e490f84b67e18cfd51a0fea56d7f91c61650963b2dcfe053e6f1dcb678dd8d92

Download Submit
C:\Windows\SysWOW64\Lehhqg32.exe

Filesize
188KB

MD5
5055635116bfe83aff40e4f6225f84d3

SHA1
d8b0068aeb1087a78cdaaed0ee4407b867926b45

SHA256
a76f6c256d97cf69a773d634f1b64c2a6f344c4eb9553760be1679caec43bea5

SHA512
020385f8393db84a045f5c99837f9dd66aeb04f76a38cab682a77e872b03f72c5bdce53e7de2e3ec180bec571a4772277cc1d2c559fbb888f1515af94f0e4235

Download Submit
C:\Windows\SysWOW64\Leoejh32.exe

Filesize
188KB

MD5
e1c071c31d6bc3b0e3fa9d7e976619e3

SHA1
be05e2b37cadb82746c885d2a7d6bbafb79d3a15

SHA256
7401f60e3684a5111f0a1adb6795e6ccd1a6fe27ab2cffb12a442bf78e04180d

SHA512
abb1cd242c93f6710c9ab77a26717e8942d26547fd7122b13628a03116ae5856ad5ea34fe4b1ea76de1183d4ed42adbb83be89aa25ddbd14595760ecd6eb519c

Download Submit
C:\Windows\SysWOW64\Lhdggb32.exe

Filesize
188KB

MD5
e00893c472e1e50a9a7b99c9b46b68d1

SHA1
d4ad3e84e9b0860c9a189e51d9e935a9b6accfdc

SHA256
3270739c76fab78c8a148ba4fdca349f21db0185614753d66f81fcf8214334bf

SHA512
c395895d44c0b98c0dec7a699b72dfc08de19ee7e3362e78430986a7f2b3d48f5d6621fdfc05f5f25c99218e94b0b7d852bba3015f01112e655bec674de0b8b2

Download Submit
C:\Windows\SysWOW64\Lknjhokg.exe

Filesize
188KB

MD5
7b261b14aca18dd4b75ac25bdd333f86

SHA1
be720748c57b52950af0ef2b48f041de1aa98e2e

SHA256
89f73501a684573c054bb1df2ee028e3d1a870af1b695ad34cbd6e33f06adb88

SHA512
141fdb4eac55286d47784fbf78db1d46dad95765d2655e8c2f5cdf658f314839e19cae7344de3bebd6c3c532d536c0eb6d9636d3268a680b45b03a00c903db6d

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
188KB

MD5
898fcf1e3bea3c85fb9f015aa1909bc6

SHA1
d39c23dd0e002fd05736926ea29e8c4ddc188bf5

SHA256
0876299fa6fe396a6b144ad498200dc796d77491ef9362ad34af95d2ada3bc04

SHA512
8eb18c6347e74cbc13473e3491dc628ce1ccbf9b7797478f17c3217c699de5b48bb334607ee7c76b4b29a1e2bd03cfa6b05fcca37b3b8737e2910b767ff9a028

Download Submit
C:\Windows\SysWOW64\Mebkge32.exe

Filesize
188KB

MD5
1413ed0ae8f8a29a95a3b91d96b1ccd6

SHA1
8771ddfbb871b7edc5eded0e371897147ae43b24

SHA256
5fd1b667b8b794ff60db2c9b612c7eb9b4ed402c504e8fe9aa44c83edaa037bb

SHA512
d6d893a432fcecd787b82c39d978d512f5a78cb1bf0f967590f01f758c5cd6f05591447cdedca3bad4d21fe6e31d0902e6d5e45ce5a0e4bcf343901d82082dc3

Download Submit
C:\Windows\SysWOW64\Memalfcb.exe

Filesize
188KB

MD5
4fe8bc8fc552a94bfd014fb6a0554937

SHA1
99e9e91798d7d0fa3829a72a7abd0c7018cf2753

SHA256
c5b9a10640e6a1b6932c202f7f4584d313fb3c5992470eb881ba4cc83116f4f6

SHA512
6bf81c94ab96c098587ab8d94a73189671b31405b9e7a0093f35011ae2373949229826ca0afef7353d5d30010cc8107ae0b3c212b5f30285e35bfdb176b5328f

Download Submit
C:\Windows\SysWOW64\Mkojhm32.dll

Filesize
7KB

MD5
85d036fa1c8a201eb9e44aea63601562

SHA1
1916bbf4b8bf73dab99e77bfe7793df85d44547e

SHA256
4fb43a925d4ae2cf4cd2b43070a2bf40b2bd9ade399e3b78aada07841954cac9

SHA512
103247ce0a2a3549565d86b7a7e71eb2cb8a5c912851047976b0889f27f0ae3cf2c124053c329a9aa67b8ed150ddf0db0248c2d2d2552b48961e1583987293a1

Download Submit
C:\Windows\SysWOW64\Mlemcq32.exe

Filesize
188KB

MD5
004f29a2ae4a50dc7fb324b530b8230b

SHA1
e44ab99fa9209d8cba737ccb5a97ddf50084bbe6

SHA256
917181f4e4cb9c7712fe563e4ad7ff2d628ffc6bcc22958170fbf3c837e5db7c

SHA512
e419917188c448af8ad1b8cc70bb002b85fce22055e7d0b26b31e2de6275913b562d7e8cae1b4dfb15d49628dbd16095c74567c8ed26b1d3e66236bc93a900ed

Download Submit
C:\Windows\SysWOW64\Mlifnphl.exe

Filesize
188KB

MD5
6f314cb0f03ff375cafda4e9416124b4

SHA1
4f90f1336f94b1aa7d60cd714a08422c788b2e5f

SHA256
67585138064895e04088a035857d9b36d6f51bc8f5c5cfe229cdfc78576c9a5e

SHA512
1368a771d86bbadcd7b606a9c758e6fa86cdd90045ad7a2c71cac03fc04d69b685f7a8142d455c76d469b1db893ca53e607f63e45fd01087d502a98f0a4a97ab

Download Submit
C:\Windows\SysWOW64\Moalil32.exe

Filesize
188KB

MD5
d391711d5b25f5f2ae41e2bb96d684c1

SHA1
4cb1260fbdf262df142542aa5e098ec3dc2908cc

SHA256
5c536015f60e88ca1a5f341591a45bc5afc63246840c09aafc6a50d399ccd03d

SHA512
b84c5771129b62cdd8e34863066ddc3790129de3e19b4c578991759e0fdb0a1856687adaeda20ea20370d60607ae026982332c26bb12f3947bd1ef482941bd5e

Download Submit
C:\Windows\SysWOW64\Moefdljc.exe

Filesize
188KB

MD5
7f0ed48db4ff4417784fa609d666510e

SHA1
b79393d4ce18a9548a76759a86a035ad9c90d5ca

SHA256
39e4851c3b4a5bb7846c9b850bdf3769e10bc8f06697a6824cf85a50b6a4e283

SHA512
a9624f8e2b2599ab0fe13566c00cbb44b72746ec9b1eae3c6ae2587ca07a19d0b323c3a835f84d7a3dc6175af632705a7ace7d090a5480e7f38bd1db3444e67c

Download Submit
C:\Windows\SysWOW64\Mojopk32.exe

Filesize
188KB

MD5
e0cf5edbf2cf8c7f31b9e5090720fd9a

SHA1
e727d08f3e593b51a39e45bcdc13788355eadf90

SHA256
9b7fc3c2b84f84bb57f3596b62f3fd5d082d389ed35cc9f590b096d37ceeb0b5

SHA512
b9d636807f01377d1fb49de37fdd5708e32dccc7fbb93e0063f67b0c9c9bce84a0d427813313c784f0deaa2ace151e26422acede425fd52f67759560510654e8

Download Submit
C:\Windows\SysWOW64\Nhlfoodc.exe

Filesize
188KB

MD5
969dca16b5cac6f5cb230647d3787905

SHA1
6d05dc5c422964d1793166bbbb05f83aef6f6a25

SHA256
2c381513d9dfdca5557fd624f4d69108b8627aaa5bce9bd8c790e023ce75c43b

SHA512
30812e29972ec1c3e2e73639e02a95d12ad7c844f3e377b2333d37c394bc4442a306e80c5f235e9caf7a3405f8c176bd95e2368d925c610b781b9b83b94b2608

Download Submit
C:\Windows\SysWOW64\Ocknbglo.exe

Filesize
188KB

MD5
8798e2d82294353d18723b105eec5328

SHA1
e8f38d249db38aa61193b7fc07f9022e57efc212

SHA256
f46625702b51bb9b8f50d0fcf1dabe069c486d08361ed9e490017dfd098df00c

SHA512
bc2f83119b101fcbd1d78a92f39bf3a3f3df66f0a74b57b40aa83e03ec388b6f5155b7524bf2d4d454331b3023dc35b9d4fadeeeebd950c8c456f981313c3b6a

Download Submit
C:\Windows\SysWOW64\Oflfdbip.exe

Filesize
188KB

MD5
312a5cc94dbdab76cd258634db5d0f0c

SHA1
07bab0a993640cf522020ac81392b6fbc7b10cf1

SHA256
a4c6c8a532316f2145a8551c528ba2eb6c338f3aaebf056b0ee7481f6cbc7a73

SHA512
0cdf6e71ad02b47e7bb20dcf3c822c2e134ce168fa6fa8aa0d9f052bb5ce3b0d8c6649b60e7ef96b336c2a6cfe2b372ef3216fa336bb0d3a74c613e3589d5ab9

Download Submit
C:\Windows\SysWOW64\Pcijce32.exe

Filesize
188KB

MD5
6f5b14a5ffed2f0711b5ca80ef16c5b0

SHA1
fac21b03794705e3ee770b92c356ec0c838898cf

SHA256
1bc983e80f61f96f16049e7dd62b72edc08dae16be388f6476179b55c202481c

SHA512
4e3d68f90c3d79cf439f80ba75029099cb265ca7dcd1951b64e6c5d015ad5e472cfe5c9a3ccf34c97408719697a7d76bab74082740a63923c85fc4c0f13fdbd5

Download Submit
C:\Windows\SysWOW64\Pfncia32.exe

Filesize
188KB

MD5
bbca6541929704f28d4638059e8d1ab8

SHA1
54f002720e316db82d9d85f2a54ad427598f9d12

SHA256
87aad5f08728904e3a9688c12ce530ec4ad2cecfdb77108af167789d77e17382

SHA512
3fe81e180c2074eb288f94a1dd79c6ef864dcd3bbcfab156bce7b79d628df6d949a0f87c728d78ab49bba2998dad4122ebb1cb1065920059a05144eebf2827b9

Download Submit
C:\Windows\SysWOW64\Pmmeak32.exe

Filesize
188KB

MD5
00928baeef065b4e4b475b8964a2ff81

SHA1
6b71b4eb6383d30b37283dc923945b6ac435b07c

SHA256
17b47c5d0e067909cd23558f5d0c8477a0701cc8e88c86132b768bd550a33100

SHA512
94ee4b920327254a8ff68d510c27302e90f00e491fef42b0a219b939386baaf33311b703076f35959e2cc6e5c7083f84d291e257392843de5184523f507478ce

Download Submit
C:\Windows\SysWOW64\Qppkhfec.exe

Filesize
64KB

MD5
a5fede24590714769e906c54fd618cd2

SHA1
f35f37389ae32a6a6b0ce194ad194ff1b95a531f

SHA256
95770723508d1f71fbf579f2e00c4deb070d10f3806250f80e3e564684c8f4cb

SHA512
875ea6bf2f9abfdad4d356c484f65b7db4892b725344c39b434b0eeedb0455cca946f75a802d1be9f867f82a1492998557559236f50ea9a9f501a4e29fc0187e

Download Submit
memory/8-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/8-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/212-698-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/212-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/220-710-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/220-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-716-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/620-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/620-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-718-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/792-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/812-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/812-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/836-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/836-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-695-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-708-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1192-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1192-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-703-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1424-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1424-740-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-746-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-750-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-705-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-714-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-722-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-494-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-712-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-742-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-644-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3216-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3216-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-499-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-748-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-700-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-646-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3928-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-754-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-669-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-744-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4640-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4640-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4668-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4668-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4704-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4704-752-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4752-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4752-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-512-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-720-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-498-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-648-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads