berbew | da8f1f899726def391096e9c35beb80391c5b09fbe7f6979321b9068704a49ec

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da8f1f899726def391096e9c35beb80391c5b09fbe7f6979321b9068704a49ecN.exe
Size

481KB
MD5

d43829ca181f8c1746d2d5b312d146c0
SHA1

42b8db333d37baffb78338170fb87d7fd374620f
SHA256

da8f1f899726def391096e9c35beb80391c5b09fbe7f6979321b9068704a49ec
SHA512

b9e7b4373a6afedeb8e683fb24f9eab47cd1c47b1f1ef6653540b2095a2470bb81283b72d3c8dcb7b5a2eac2173e0fdcbb2280d8775103c14e28b9072ddcd1c0
SSDEEP

6144:o9M0et24a22qFM6234lKm3mo8Yvi4KsLTFM6234lKm3+ry+dBQ:ou0et2X2xFB24lwR45FB24l4++dBQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhdggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlemcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Moefdljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noaeqjpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhknhabf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlqloo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llimgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Memalfcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pofhbgmn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlbpma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlemcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhnjna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nooikj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Namegfql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Janghmia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlbpma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcidopb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kejloi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkhlcnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkapelka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keceoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdnebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Piceflpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mociol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfbmdabh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkhlcnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mebkge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhnjna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nhlfoodc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhknhabf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Namegfql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iagqgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdnebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhbciqln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkjjdmaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhdggb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkjjdmaj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
620	Iagqgn32.exe
3560	Ihaidhgf.exe
836	Iloajfml.exe
816	Jehfcl32.exe
2108	Janghmia.exe
3528	Jldkeeig.exe
1676	Jjihfbno.exe
2904	Jogqlpde.exe
1220	Jjnaaa32.exe
2692	Keceoj32.exe
2956	Kdhbpf32.exe
2148	Kdkoef32.exe
1112	Kejloi32.exe
1584	Kemhei32.exe
4820	Loemnnhe.exe
2180	Llimgb32.exe
4136	Leabphmp.exe
4316	Lknjhokg.exe
1192	Lajokiaa.exe
220	Lhdggb32.exe
2628	Ldkhlcnb.exe
2408	Mlbpma32.exe
3628	Maoifh32.exe
3264	Mdnebc32.exe
624	Mlemcq32.exe
5000	Mociol32.exe
3960	Maaekg32.exe
4848	Mhknhabf.exe
4116	Mkjjdmaj.exe
4216	Moefdljc.exe
992	Mepnaf32.exe
4644	Mhnjna32.exe
3672	Mklfjm32.exe
4288	Mccokj32.exe
728	Mebkge32.exe
2496	Mhpgca32.exe
4600	Mkocol32.exe
3300	Mcfkpjng.exe
3052	Medglemj.exe
4908	Nhbciqln.exe
1168	Nkapelka.exe
3324	Nchhfild.exe
3928	Nakhaf32.exe
3852	Ndidna32.exe
4340	Nlqloo32.exe
4792	Nooikj32.exe
976	Namegfql.exe
4084	Ndlacapp.exe
3616	Nlcidopb.exe
1768	Noaeqjpe.exe
1172	Nhlfoodc.exe
64	Ohncdobq.exe
1964	Obfhmd32.exe
1224	Okolfj32.exe
452	Oloipmfd.exe
228	Odjmdocp.exe
3704	Ofijnbkb.exe
1948	Ocmjhfjl.exe
4912	Pcpgmf32.exe
3988	Pofhbgmn.exe
964	Pfbmdabh.exe
3120	Piceflpi.exe
4412	Qckfid32.exe
464	Qmckbjdl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cboleq32.dll	Kdhbpf32.exe
File opened for modification	C:\Windows\SysWOW64\Leabphmp.exe	Llimgb32.exe
File created	C:\Windows\SysWOW64\Ldkhlcnb.exe	Lhdggb32.exe
File created	C:\Windows\SysWOW64\Jbkeki32.dll	Mhnjna32.exe
File created	C:\Windows\SysWOW64\Ipdkapdh.dll	Mdnebc32.exe
File created	C:\Windows\SysWOW64\Mklfjm32.exe	Mhnjna32.exe
File created	C:\Windows\SysWOW64\Cdpqko32.dll	Mklfjm32.exe
File opened for modification	C:\Windows\SysWOW64\Odjmdocp.exe	Oloipmfd.exe
File opened for modification	C:\Windows\SysWOW64\Llimgb32.exe	Loemnnhe.exe
File created	C:\Windows\SysWOW64\Gmoikj32.dll	Mepnaf32.exe
File created	C:\Windows\SysWOW64\Cbgabh32.dll	Mhpgca32.exe
File created	C:\Windows\SysWOW64\Ecdleo32.dll	Ndidna32.exe
File created	C:\Windows\SysWOW64\Nhlfoodc.exe	Noaeqjpe.exe
File created	C:\Windows\SysWOW64\Ndnoffic.dll	Keceoj32.exe
File opened for modification	C:\Windows\SysWOW64\Moefdljc.exe	Mkjjdmaj.exe
File created	C:\Windows\SysWOW64\Ipiddlhk.dll	Nchhfild.exe
File created	C:\Windows\SysWOW64\Lhdggb32.exe	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Edkakncg.dll	Ndlacapp.exe
File created	C:\Windows\SysWOW64\Ckmpakdh.dll	Namegfql.exe
File opened for modification	C:\Windows\SysWOW64\Jldkeeig.exe	Janghmia.exe
File opened for modification	C:\Windows\SysWOW64\Jjihfbno.exe	Jldkeeig.exe
File created	C:\Windows\SysWOW64\Moefdljc.exe	Mkjjdmaj.exe
File opened for modification	C:\Windows\SysWOW64\Mklfjm32.exe	Mhnjna32.exe
File created	C:\Windows\SysWOW64\Nkapelka.exe	Nhbciqln.exe
File opened for modification	C:\Windows\SysWOW64\Mdnebc32.exe	Maoifh32.exe
File created	C:\Windows\SysWOW64\Mkjjdmaj.exe	Mhknhabf.exe
File opened for modification	C:\Windows\SysWOW64\Nakhaf32.exe	Nchhfild.exe
File created	C:\Windows\SysWOW64\Namegfql.exe	Nooikj32.exe
File created	C:\Windows\SysWOW64\Odjmdocp.exe	Oloipmfd.exe
File opened for modification	C:\Windows\SysWOW64\Qmckbjdl.exe	Qckfid32.exe
File opened for modification	C:\Windows\SysWOW64\Iloajfml.exe	Ihaidhgf.exe
File opened for modification	C:\Windows\SysWOW64\Jogqlpde.exe	Jjihfbno.exe
File created	C:\Windows\SysWOW64\Leabphmp.exe	Llimgb32.exe
File created	C:\Windows\SysWOW64\Ndebln32.dll	Moefdljc.exe
File created	C:\Windows\SysWOW64\Okolfj32.exe	Obfhmd32.exe
File opened for modification	C:\Windows\SysWOW64\Obfhmd32.exe	Ohncdobq.exe
File created	C:\Windows\SysWOW64\Hfdgep32.dll	Okolfj32.exe
File opened for modification	C:\Windows\SysWOW64\Ofijnbkb.exe	Odjmdocp.exe
File created	C:\Windows\SysWOW64\Eilbckfb.dll	Kemhei32.exe
File created	C:\Windows\SysWOW64\Mhpgca32.exe	Mebkge32.exe
File created	C:\Windows\SysWOW64\Medglemj.exe	Mcfkpjng.exe
File opened for modification	C:\Windows\SysWOW64\Noaeqjpe.exe	Nlcidopb.exe
File created	C:\Windows\SysWOW64\Mejcig32.dll	Noaeqjpe.exe
File opened for modification	C:\Windows\SysWOW64\Oloipmfd.exe	Okolfj32.exe
File created	C:\Windows\SysWOW64\Mlemcq32.exe	Mdnebc32.exe
File created	C:\Windows\SysWOW64\Lggfcd32.dll	Memalfcb.exe
File created	C:\Windows\SysWOW64\Nlcidopb.exe	Ndlacapp.exe
File opened for modification	C:\Windows\SysWOW64\Iagqgn32.exe	da8f1f899726def391096e9c35beb80391c5b09fbe7f6979321b9068704a49ecN.exe
File created	C:\Windows\SysWOW64\Kknikplo.dll	Iagqgn32.exe
File created	C:\Windows\SysWOW64\Jogqlpde.exe	Jjihfbno.exe
File created	C:\Windows\SysWOW64\Llimgb32.exe	Loemnnhe.exe
File opened for modification	C:\Windows\SysWOW64\Lknjhokg.exe	Leabphmp.exe
File created	C:\Windows\SysWOW64\Bakpfm32.dll	Oloipmfd.exe
File created	C:\Windows\SysWOW64\Eobdnbdn.dll	Ofijnbkb.exe
File created	C:\Windows\SysWOW64\Pofhbgmn.exe	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Pfbmdabh.exe	Pofhbgmn.exe
File created	C:\Windows\SysWOW64\Nakhaf32.exe	Nchhfild.exe
File opened for modification	C:\Windows\SysWOW64\Ocmjhfjl.exe	Ofijnbkb.exe
File created	C:\Windows\SysWOW64\Mpaflkim.dll	Pcpgmf32.exe
File opened for modification	C:\Windows\SysWOW64\Mlemcq32.exe	Mdnebc32.exe
File created	C:\Windows\SysWOW64\Mebkge32.exe	Mccokj32.exe
File created	C:\Windows\SysWOW64\Jbjabqbh.dll	Mebkge32.exe
File created	C:\Windows\SysWOW64\Aocdjq32.dll	Mkocol32.exe
File created	C:\Windows\SysWOW64\Hkglgq32.dll	Mcfkpjng.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldkhlcnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdnebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da8f1f899726def391096e9c35beb80391c5b09fbe7f6979321b9068704a49ecN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkocol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhlfoodc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jogqlpde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnaaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmjhfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loemnnhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlemcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nchhfild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obfhmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mepnaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mklfjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nooikj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okolfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofijnbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlbpma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhnjna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhbciqln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcidopb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iagqgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medglemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oloipmfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moefdljc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkapelka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Janghmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfkpjng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkjjdmaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlqloo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kejloi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhknhabf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjmdocp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofhbgmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdhbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknjhokg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhdggb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maaekg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Memalfcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Namegfql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jldkeeig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajokiaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nakhaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piceflpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjihfbno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llimgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhpgca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maoifh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mebkge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndidna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihaidhgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keceoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mccokj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndlacapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noaeqjpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohncdobq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdkqcmb.dll"	Kejloi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknikplo.dll"	Iagqgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkapelka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaflkim.dll"	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjokai32.dll"	Pofhbgmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iloajfml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jogqlpde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maoifh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdkapdh.dll"	Mdnebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndebln32.dll"	Moefdljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mepnaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Keceoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdleo32.dll"	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchfjc32.dll"	Ohncdobq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ihaidhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfqbll32.dll"	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhalpn32.dll"	Mlemcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbjabqbh.dll"	Mebkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfoceoni.dll"	Nhbciqln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngkpgkbd.dll"	Nlcidopb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qckfid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ihaidhgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Memalfcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhnjna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acicqigg.dll"	Nakhaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlqloo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Okolfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfbmdabh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldkhlcnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjigocdh.dll"	Mkjjdmaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcgfpia.dll"	Medglemj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nakhaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alinebli.dll"	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhdggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlbpma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maaekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mebkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmpakdh.dll"	Namegfql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Noaeqjpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipjam32.dll"	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pofhbgmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpkiqbe.dll"	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Medglemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nhbciqln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nooikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmmbfem.dll"	Ihaidhgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Keceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qagfppeh.dll"	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emnhomim.dll"	Mociol32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 620	3232	da8f1f899726def391096e9c35beb80391c5b09fbe7f6979321b9068704a49ecN.exe	89
PID 3232 wrote to memory of 620	3232	da8f1f899726def391096e9c35beb80391c5b09fbe7f6979321b9068704a49ecN.exe	89
PID 3232 wrote to memory of 620	3232	da8f1f899726def391096e9c35beb80391c5b09fbe7f6979321b9068704a49ecN.exe	89
PID 620 wrote to memory of 3560	620	Iagqgn32.exe	90
PID 620 wrote to memory of 3560	620	Iagqgn32.exe	90
PID 620 wrote to memory of 3560	620	Iagqgn32.exe	90
PID 3560 wrote to memory of 836	3560	Ihaidhgf.exe	91
PID 3560 wrote to memory of 836	3560	Ihaidhgf.exe	91
PID 3560 wrote to memory of 836	3560	Ihaidhgf.exe	91
PID 836 wrote to memory of 816	836	Iloajfml.exe	92
PID 836 wrote to memory of 816	836	Iloajfml.exe	92
PID 836 wrote to memory of 816	836	Iloajfml.exe	92
PID 816 wrote to memory of 2108	816	Jehfcl32.exe	93
PID 816 wrote to memory of 2108	816	Jehfcl32.exe	93
PID 816 wrote to memory of 2108	816	Jehfcl32.exe	93
PID 2108 wrote to memory of 3528	2108	Janghmia.exe	94
PID 2108 wrote to memory of 3528	2108	Janghmia.exe	94
PID 2108 wrote to memory of 3528	2108	Janghmia.exe	94
PID 3528 wrote to memory of 1676	3528	Jldkeeig.exe	95
PID 3528 wrote to memory of 1676	3528	Jldkeeig.exe	95
PID 3528 wrote to memory of 1676	3528	Jldkeeig.exe	95
PID 1676 wrote to memory of 2904	1676	Jjihfbno.exe	96
PID 1676 wrote to memory of 2904	1676	Jjihfbno.exe	96
PID 1676 wrote to memory of 2904	1676	Jjihfbno.exe	96
PID 2904 wrote to memory of 1220	2904	Jogqlpde.exe	97
PID 2904 wrote to memory of 1220	2904	Jogqlpde.exe	97
PID 2904 wrote to memory of 1220	2904	Jogqlpde.exe	97
PID 1220 wrote to memory of 2692	1220	Jjnaaa32.exe	98
PID 1220 wrote to memory of 2692	1220	Jjnaaa32.exe	98
PID 1220 wrote to memory of 2692	1220	Jjnaaa32.exe	98
PID 2692 wrote to memory of 2956	2692	Keceoj32.exe	99
PID 2692 wrote to memory of 2956	2692	Keceoj32.exe	99
PID 2692 wrote to memory of 2956	2692	Keceoj32.exe	99
PID 2956 wrote to memory of 2148	2956	Kdhbpf32.exe	100
PID 2956 wrote to memory of 2148	2956	Kdhbpf32.exe	100
PID 2956 wrote to memory of 2148	2956	Kdhbpf32.exe	100
PID 2148 wrote to memory of 1112	2148	Kdkoef32.exe	101
PID 2148 wrote to memory of 1112	2148	Kdkoef32.exe	101
PID 2148 wrote to memory of 1112	2148	Kdkoef32.exe	101
PID 1112 wrote to memory of 1584	1112	Kejloi32.exe	102
PID 1112 wrote to memory of 1584	1112	Kejloi32.exe	102
PID 1112 wrote to memory of 1584	1112	Kejloi32.exe	102
PID 1584 wrote to memory of 4820	1584	Kemhei32.exe	103
PID 1584 wrote to memory of 4820	1584	Kemhei32.exe	103
PID 1584 wrote to memory of 4820	1584	Kemhei32.exe	103
PID 4820 wrote to memory of 2180	4820	Loemnnhe.exe	104
PID 4820 wrote to memory of 2180	4820	Loemnnhe.exe	104
PID 4820 wrote to memory of 2180	4820	Loemnnhe.exe	104
PID 2180 wrote to memory of 4136	2180	Llimgb32.exe	105
PID 2180 wrote to memory of 4136	2180	Llimgb32.exe	105
PID 2180 wrote to memory of 4136	2180	Llimgb32.exe	105
PID 4136 wrote to memory of 4316	4136	Leabphmp.exe	106
PID 4136 wrote to memory of 4316	4136	Leabphmp.exe	106
PID 4136 wrote to memory of 4316	4136	Leabphmp.exe	106
PID 4316 wrote to memory of 1192	4316	Lknjhokg.exe	107
PID 4316 wrote to memory of 1192	4316	Lknjhokg.exe	107
PID 4316 wrote to memory of 1192	4316	Lknjhokg.exe	107
PID 1192 wrote to memory of 220	1192	Lajokiaa.exe	108
PID 1192 wrote to memory of 220	1192	Lajokiaa.exe	108
PID 1192 wrote to memory of 220	1192	Lajokiaa.exe	108
PID 220 wrote to memory of 2628	220	Lhdggb32.exe	109
PID 220 wrote to memory of 2628	220	Lhdggb32.exe	109
PID 220 wrote to memory of 2628	220	Lhdggb32.exe	109
PID 2628 wrote to memory of 2408	2628	Ldkhlcnb.exe	110

C:\Users\Admin\AppData\Local\Temp\da8f1f899726def391096e9c35beb80391c5b09fbe7f6979321b9068704a49ecN.exe
"C:\Users\Admin\AppData\Local\Temp\da8f1f899726def391096e9c35beb80391c5b09fbe7f6979321b9068704a49ecN.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Windows\SysWOW64\Iagqgn32.exe
  C:\Windows\system32\Iagqgn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\SysWOW64\Ihaidhgf.exe
    C:\Windows\system32\Ihaidhgf.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Windows\SysWOW64\Iloajfml.exe
      C:\Windows\system32\Iloajfml.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:836
    - - C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
      - C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Lhdggb32.exe
        
        C:\Windows\system32\Lhdggb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Ldkhlcnb.exe
        
        C:\Windows\system32\Ldkhlcnb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Mlbpma32.exe
        
        C:\Windows\system32\Mlbpma32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Memalfcb.exe
        
        C:\Windows\system32\Memalfcb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Mhknhabf.exe
        
        C:\Windows\system32\Mhknhabf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Mepnaf32.exe
        
        C:\Windows\system32\Mepnaf32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4512,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:8
1⤵
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iagqgn32.exe

Filesize
481KB

MD5
a10c916e1ef5dc237ebcb5e872f6f887

SHA1
0fafbca4505a9dd5ccfeb4c1de8fff66d5766ddb

SHA256
79fb60d0be25236b64f50185397060146e2673621b009e07a8a9251dffa7e943

SHA512
3a8e3112e2fa1340e250f705d49465b105ce0385f3438cbd996a861a43d1be92c4c074e4ce9702396e846cae12c15f69a0b99c8743c30bd6fa420dddedbdac7d

Download Submit
C:\Windows\SysWOW64\Ihaidhgf.exe

Filesize
481KB

MD5
d1b326ccfbea72c83f0b96b6eaa40037

SHA1
61a0ecb43e8dcf9273e0323e09bb819869eb78cb

SHA256
8fe8a38fa9ba57e09c34b87d6c5f124d4be1f2294e592248b49e32b4b61cf91b

SHA512
bba6ba051be4c6d24ece0ea74a97e22c0947862bad423219aa63a804ec94720a563fbcfb8dac33f22e9e1ad4da9da9711deea3b32e01980e339a3a8db9219a2a

Download Submit
C:\Windows\SysWOW64\Iloajfml.exe

Filesize
481KB

MD5
73e0cb89d8570a5c1b3693ca52e25c25

SHA1
9b99c306c8223ff3084b1bae5156fc5e0ffec19a

SHA256
ca3c7dee7d5111468042a7134d2b85f7bd79b54b806c7b6c9ef31328e6935a33

SHA512
94a2bbe0dcdc5e1a1cbc116b24bccce73a4ecc2914e854f106b15a5dd4d704cf5706572a5192ca898d2ce3e03d2333f181f2083f4bf9af1563cc0da20ff3f9ef

Download Submit
C:\Windows\SysWOW64\Janghmia.exe

Filesize
481KB

MD5
c3f1a1ee5713a9978c0e6e2454788cd3

SHA1
26adfca269ba855d111e0bb450a648da7d226424

SHA256
4df42a410e259168c664f5de78a7f184a7fa629d85a9e8a3826f2076204a1c63

SHA512
79510b270b49cd8d66f9764ab8b9ad0fbad8714e11fbf9f1001a6dd7f2dd6f110dd5c207dcea594ea82ce124242398d7ebfface6803523cc9a1441a415d251d8

Download Submit
C:\Windows\SysWOW64\Jehfcl32.exe

Filesize
481KB

MD5
9c7b24eb0c16977445d1a71bc6afd82e

SHA1
b99f06b1994770054a247aee943e245c04f7a551

SHA256
db70f60dd626f4f79e958fc5263ae832fcee8d8fe5b3948df56ee4df352568fd

SHA512
b014b5a49770283fed2ff9796791fd3b20b1779b12212c5bc9d151e184bda8ad7aa047945528be2aafeba908c0710158955d60caff5bbea251ace64906b6521b

Download Submit
C:\Windows\SysWOW64\Jjihfbno.exe

Filesize
481KB

MD5
0e94a280fa6d7ee0d67376e3a29f2ced

SHA1
3844ffee7a4171241fd0e694635da0087982cf1d

SHA256
366857c425ccb751558c8b9787731babab7720760716406890eb74c861f584d1

SHA512
95aefc546e95d7988ed68677d486f47d9df8ffdecf17ecb1f9d99bbd2d240767691bc39d954ebf3e3d823175d0e11cb19899b8bb8a624251dcf7a0a8236e843e

Download Submit
C:\Windows\SysWOW64\Jjnaaa32.exe

Filesize
481KB

MD5
a6efda254a21eb12e28afcd546bf379b

SHA1
7524bec326494cb429cda2fefe1699718d7444ef

SHA256
71d35b383fde2816f3d1b1a8a5ad093b90ab576d46940ec2e0c19d613502ca2b

SHA512
3d416a0b8240473404aeb8e4c54a6f00a42b1cdce58c0f04e2b92962a7500c822f919151aa85f88227abb25e3ff480f30ec0cf4e49150401e19d5f74985cb5e5

Download Submit
C:\Windows\SysWOW64\Jldkeeig.exe

Filesize
481KB

MD5
4fa85471dac6cffdbc5f808bcd7115a0

SHA1
9e5145887ce35ae40e78647725e2a983070bd0b8

SHA256
d3d1577cb89887f52a617f56a2becc6aed823a9792d8a1c5aef154fc9ecf3230

SHA512
869a72fcf4655201a361a6ec85ba8f360b2572da139635386a83c5e54b3f173f648193810f39fcd29b71a5252ddccf59191ba345883394e3fb2f02a10dac7597

Download Submit
C:\Windows\SysWOW64\Jogqlpde.exe

Filesize
481KB

MD5
78f803cf995cd7b1198dc756588f3eef

SHA1
de9fd4214e646ea0a2dea6705ad0f77b5d00ad02

SHA256
705347efec91dfccf5469a50882eec51948c9b412bbe4189ceeb140abad7c56f

SHA512
e2cefb7b2c2755fef9d1a39bfb61ea18c8f8fc8789bd57aa2e2d1da7712541e5c6be5cd1027c1bb9fb61b7f78404799fb7d53dc243cd1d53587e071536353f21

Download Submit
C:\Windows\SysWOW64\Kdhbpf32.exe

Filesize
481KB

MD5
0d17957e594e08616f4a2a32b41d62c5

SHA1
96815dc00827547b1327554a887a9d0f304c480d

SHA256
553a6854cfd6b1f4bcf9d745fda18c12edefc5eda8d294ce991d84168b890f3d

SHA512
a1ce5f5c0e594dbbe9cdc8b6bce3eb7b22e96af549281c2526ab05b441c7503e1712027d65f41ac37198d365c519f2711cfc1d4dde96f52ec5a2a1c21ed80046

Download Submit
C:\Windows\SysWOW64\Kdkoef32.exe

Filesize
481KB

MD5
e19ba0103e8a164923d87c3fd5079fee

SHA1
cd279cbab7b38a247943cca695951e386fbdeb05

SHA256
a4cf001f890b2e881f2ca750a6ffc982c427e6da525f321ed47539fe2d9ccc23

SHA512
62b07a91aaebaab129ffdea84fef9c779cb1203807c3479722749f8e044e8c2aeadba602fa90fbe2f7fedb9bba95d594376dd662de4ba2f48a5c06f04a389a42

Download Submit
C:\Windows\SysWOW64\Keceoj32.exe

Filesize
481KB

MD5
61e5470d25f46502c6c5babc87b9f6d4

SHA1
b13117f90a14ab53cceb19e7c9407e8cde2c972e

SHA256
9d0bcfa1eb242aeaf5e99f9cd1bc477958c9b5ef8f21d13e4f1ca013f4b1569f

SHA512
7d4e6623b9e5ed1e38a88a46f941937f471a671441df398950521401d17d70128d67e8761f312cb3da0029210e66f85300fc335bf1d699110f7428b7f867bb3e

Download Submit
C:\Windows\SysWOW64\Kejloi32.exe

Filesize
481KB

MD5
d8f685e5d7970362b85f139edc3befda

SHA1
1c6b79b2d536e9a8832888bc44207798b71a2b95

SHA256
b3b0459e16448e0dfa50575afaddf5f5065fe2e7e429e1751de8cb84f1059b37

SHA512
4ac8932334a3694fbc89487bbf129b50601b5c01115927a94b9e13a50b7f31bcdf145fd9ba9bb9341f2698edae88bcc04bbcc7a72ca741927a612615408470c6

Download Submit
C:\Windows\SysWOW64\Kemhei32.exe

Filesize
481KB

MD5
d158e3deacb5d5c85fd49681b594789c

SHA1
4b282c4db64e7bea936ab64063aa2940efe83d76

SHA256
2d0148382e0e3a31efb9c04f8509c26384d18a4549dfba93f752a0b8dfa38dad

SHA512
d6ad1a12fe44c40aa59ad3014cc25843a26731b490608ae5035e9dc75d66316d2861b384c88e169e69f0fbf0db9c2ba57fe387a4d76ea987bbdab3d501805c6a

Download Submit
C:\Windows\SysWOW64\Lajokiaa.exe

Filesize
481KB

MD5
14551e4b08aaffd4f001b87e9a72186a

SHA1
edc5a3a0a5fc084eaa359b68d42a5a0982666d11

SHA256
57bc9d10feb76194c1c90ac0e760871ce3aa47758e05075802b76bf48a934951

SHA512
7925907ab08e277cc35929d789b586e60dfcb7edfe49c7f93988c545800c8d81efd900a1f2e98a844e86bc219f5f0affe5c879e10e54a96d87ac5f9251a8e157

Download Submit
C:\Windows\SysWOW64\Ldkhlcnb.exe

Filesize
481KB

MD5
cc4cdde95800f328c6e74e22f869a6af

SHA1
39f422b07508dcef28345eb3866bd13b8d04a28a

SHA256
4d19484d6771f90f0a0f2ba946c45e1536b8e885f551c732d39cfd5b1a39aed1

SHA512
81d0affcbc64b653a84f5a3c3eb85359fe8e06df78107b4766c18179022fa8872484ea7b3f983b68e25ca837f06e166b68f3b603465fcdc7df992541881a7232

Download Submit
C:\Windows\SysWOW64\Leabphmp.exe

Filesize
481KB

MD5
51c4c773149dd37001551c3325f1eb3d

SHA1
a78d2fea3af00cd7ae29d66ca2b0ccd41fc2ddcd

SHA256
b313066c34e1849c95ed9d2c12da16b114e7d2e52f9d9d4a37baaf9f1e013fdf

SHA512
0e5ee279037af473a3d0ed5c61cdf430ddd507ae17ce62e197013597a299178df0155bae7ae0b1a0f0c332f02fed4ab299c4784f3aec86cabe95dc8dcc3dc012

Download Submit
C:\Windows\SysWOW64\Lhdggb32.exe

Filesize
481KB

MD5
ff9739a9e7481e94c7b91e6953a67b98

SHA1
661913d5c632adf35e03979dd48556ed33ac2a1f

SHA256
bbf38fcec72af1f35acac0b91e29d4faf1cba2fa904e8cb88b1bb01166e30a0c

SHA512
c2fb92562bc88253e40e5ebc5c99454b67b1240bd5861d95c750a6b11c15f33d1075a0ee219eac4259c0ade4cf1b76c5e934ee16be5c221fc150ef283c404608

Download Submit
C:\Windows\SysWOW64\Lknjhokg.exe

Filesize
481KB

MD5
29607d836ec9219db9ff3df4e7e69c86

SHA1
ab80d33adca8721506a6b5d65950f023390bd00b

SHA256
70ef834fd88fc916e066b37d978b504ecd95f8c176dea79aba81b9453948a546

SHA512
8a027a72f3732775643f68c27e20d0be87c9c69e3dd33c0b107150c64cef2c5692948edaa467a470bb750f32e2b5e4ad30676bbb4b94518b19f628a10e7d3f4d

Download Submit
C:\Windows\SysWOW64\Llimgb32.exe

Filesize
481KB

MD5
4dcd3466d3b27e53963efcf0e4dfa508

SHA1
454ad667abb1b90da41c17ff785549a5f9d4892c

SHA256
d5b8f99c9cbe4da157cc09c5bac4fb23c675798ba7985104305e3baa55061801

SHA512
3da9cf63a51ce8e8a2119960165af0329d801fef66fda807def40f3af8e5404b2060f99f8d34244699addfe6a6c9611512db9224c34cee78c37ddec81aa0bca7

Download Submit
C:\Windows\SysWOW64\Loemnnhe.exe

Filesize
481KB

MD5
e69a86607b229e4494dd41f91545624c

SHA1
b6c37036c64574451db32c4f026548d591f8463d

SHA256
df8e649dc8601db574a76688ad5f9dd9df5d23a841e07723ef2f8ad3960a708f

SHA512
7a6c4d701fe4f63896aa8372a5490f8f98eef28c8742533a1b260873a9de5cfc0656f9101e557a59209427baf5e947d147c36cafbcba6a2b00dc6ef1056d8c06

Download Submit
C:\Windows\SysWOW64\Maaekg32.exe

Filesize
481KB

MD5
d4e2f327be87bf7a16dcec11d97a8fac

SHA1
b7af2eb1c4dd38dd61c106df3bb23e7a84fff7d1

SHA256
d1f38b1f178d9d941648c77efed2f70a0eba6bfe5f73d9dfed8d40259b9c791e

SHA512
4b9dddfc829ffc9ef0d8b25b6f789af0d0282c45388b61bd7d113b7661f1b573ec1a32432f985ef6273935e422c233e5ea9617edfe09eb458903e5241ff82214

Download Submit
C:\Windows\SysWOW64\Maoifh32.exe

Filesize
481KB

MD5
86e753aa265886f2b8f755a712465ef9

SHA1
f669396da7014d1bcfb0dba2f104088d7e4c3575

SHA256
19914a65832a677ac734ae0f213b6b93d85f9cdef2029e60d0af4a53f0540ea5

SHA512
0b8e37a9feec409d30eef47b74c3a7a6feee87084b022533a4a5ac91bddb01a10b11ff57cc5b3544f158c6bdf038b7782eeaead48b66cb853d500003c1a86739

Download Submit
C:\Windows\SysWOW64\Mdnebc32.exe

Filesize
481KB

MD5
16615417e7242f4485f704b844c0793d

SHA1
160a802886dbf016db01650708ee1a851d83bc9d

SHA256
6a4e4b8487acdf5e384fe0d98254f4fb7ee4d957501a598be254361bff6c6e51

SHA512
97b153bb4815e9b0d03c0197a893c6441cc4652eaeb8014d41ab1eff61c9f0b1147d5a776fa0aadc716f784b6f431d2e2b8d4a670df06391c07f25c2387580ba

Download Submit
C:\Windows\SysWOW64\Mepnaf32.exe

Filesize
481KB

MD5
f7559a80915c521a7b5094dd16c6998d

SHA1
6521fe44997c8db1a380768dca61daad40923c51

SHA256
75facb5117a216c1d6ab874e90ac48538305cfe34925990caa2077fa806ff33f

SHA512
42bd2f935c1e7ecf75fdd874d848bb9fd3444f7f626cfe97c0ed51ed5f19acdf2236246e00805a48dd5c98fc0f730a1b58492842b022ab85c4cc278525b83296

Download Submit
C:\Windows\SysWOW64\Mhknhabf.exe

Filesize
481KB

MD5
5e6029cfc6a4cebfdc9c44ef91feeefe

SHA1
1dfa9c141232d8192b3df338c0bf6c76fef3e239

SHA256
76314dd4e72173ffc05b4de9509368d71649f6a3c52c45790932eab8b4807b35

SHA512
2d9888a4e1cde226627f66992e13f514350c96e4d8017c3abdea186b481c5fa3a5e31a6ad7c10d24d249de1bc29c2cedcd5e69f179933a57a48ed559c442d30c

Download Submit
C:\Windows\SysWOW64\Mhnjna32.exe

Filesize
481KB

MD5
6a4d90e45e08065757529f56562ed0c7

SHA1
d5e49f6d494290bee159f9ade62df238fe2f919e

SHA256
5c2c10e5dfdead9392264413670432e9f680d6b54f39c6b39d5e329d562e3a4c

SHA512
7fa2f6bd5d6b9988e583d93bc793ba73f7443d3c40ca19b116c13bd9051cfb82fc2bce57ca5ec83f4d881d7a59ab1fcf9a0517e567b864ae78fb7eac3e56258b

Download Submit
C:\Windows\SysWOW64\Mkjjdmaj.exe

Filesize
481KB

MD5
7d5fbd2c9bcd6530f3d5ddcdd0ee7012

SHA1
4fdd45538b7e03b2cc21f415993dd8ac17e91643

SHA256
5417660cbc9e4b6d6aa6b1061eaae101af934e020346728f8ae4194a1d6bdf8e

SHA512
904b32ce5d0b7d35929b7f756deb7848acdab31dda6dd4b51444eff3ca9bcd199de27da379e1b1e6d70c0763f1f4b3a172383d6db0b095a2963f964c685eaa8a

Download Submit
C:\Windows\SysWOW64\Mklfjm32.exe

Filesize
481KB

MD5
50705ca5217b6b215518b4f1b35b93c8

SHA1
eea85a56ae6c6ecd8215b80d6059cf970e01a246

SHA256
85a8841e45633b3c5555b0469d2d12fdbd3e7b8194f12c808ec051d9df0ead24

SHA512
ef1cf4946f8ee86f484d17c1d0773b9d2cf009745d15f1cd89b0be25186e0681c597ffd91a36b98f8004ee7177817f68f707e303b0c05ddcb3fcc68e6e177e2f

Download Submit
C:\Windows\SysWOW64\Mlbpma32.exe

Filesize
481KB

MD5
3889a77fed85da9b5caf6cb7040ba77f

SHA1
015a0597a90d736b380a2a1cac0129f78df88e78

SHA256
13b5dd7959cf96a2cde6cf3417d8a447d6ada835eff2ce5a4fdfe97c4f079f3a

SHA512
bc338194e53e4a8ff49e15ce8408fd802747438b9a8078288b60ea50d68900df4b82bad77840dfa3e59c8c1c1f9b793a56ef5daa0fcdf8b47f7ab9f2d6baee5c

Download Submit
C:\Windows\SysWOW64\Mlemcq32.exe

Filesize
481KB

MD5
eadef9ffb1cd409346fae5b42284af8e

SHA1
57bb20f55c59661bc64fd9947d324c7c407d7d48

SHA256
105dd3200d0165629e867e4f4a366ec8635bc5e606548110fb971d5e2964b0cd

SHA512
10dc396038ae1afc4cbb8c0932e5be8723cc510254214f4b01439685260cd3e78c21542cdc4ebe62b77bd957201b3f0daf11075f0875681457e7546a88cdec1e

Download Submit
C:\Windows\SysWOW64\Mnpkiqbe.dll

Filesize
7KB

MD5
0e754eece722df89d51207d1ee6dfa43

SHA1
ec73eca4506fa8ed67ebfe04f25e218e42b5293b

SHA256
d34df3d59d05e0b14510e2eb20f7d06ddbce7770256347bdefd511809dffc699

SHA512
83b6c3c91d8146366b56f272320b595b5719f4f9e10784d79e6f0c6eb99ee1f645a3576983157bcdf179c577daab00eb861b56ac0b682b3f714d082b8203f1cb

Download Submit
C:\Windows\SysWOW64\Mociol32.exe

Filesize
481KB

MD5
c737542023386080eb1fa00392800ec3

SHA1
d8aeee138bf66a576fd822b5c56487055a1d7052

SHA256
6f1ce3aaf9f6636a4dc3e35a2ad075f237fdaae79e6994dd5865ba015ce11fbc

SHA512
bd276e18249cb16351e7183cecba5d5ffaf5a0186ef0f81876a26c950c3a4639410cb20d19c24ce70378768b05fe350396fbb547358760ef290310d35c1f0a2a

Download Submit
C:\Windows\SysWOW64\Moefdljc.exe

Filesize
481KB

MD5
6576e677ed9258c8040ac499da4d19d3

SHA1
7b6d16d36050cde5dfb8ba7c952539be8b6038d4

SHA256
615ca5ad570aa7803880148655def27d747e64d91f239124e3adddc78edebc6c

SHA512
17a4122741445c522f75d5a8bacbd31d5ece1a2fec397387a3ff0411afde6ccdb8c7eb7a4891b8b3644dadf1a6673e3faba998da8f84ffbc6fcba76b1332c5d4

Download Submit
C:\Windows\SysWOW64\Nhlfoodc.exe

Filesize
481KB

MD5
81fe22240fd841eea3c5bd63c6e9cc79

SHA1
d866f27ef607e7d23d956091f96754266db70710

SHA256
eb34b7d48b5959fc654e2fa0495f04ce92f640ea42676b40c5e47a7719b3bbd7

SHA512
b4a7c1477a78f4de04709afa598d2936a85b62770170c6a8bc9b4cb70117079056f4b25fb9c491d40a1e7e2011f17a0fe58c3126f1ac22971e261b5386a86519

Download Submit
C:\Windows\SysWOW64\Odjmdocp.exe

Filesize
481KB

MD5
8a5f0f65566f7bf001f1b46c386ff9bf

SHA1
e35f60e5afeaf194f88121ae5a53bb269652a8d0

SHA256
54083d1696f6dd9816e83d6fc06c450b6fa5426f149f3f2c3d22c7648401aa8f

SHA512
dff236dc2949c08f2e5a72f16189fd3afa9ce840d9467e7e09f1c6e4c5e9165800df20e49ef55314642520a5f2f7820b17ffdaf2a0172a79edc9e12b09c334a5

Download Submit
C:\Windows\SysWOW64\Pcpgmf32.exe

Filesize
481KB

MD5
81b11b17c0512aeea2285a6fc1c07a1b

SHA1
a6caaa6eaeb69ad38303af7cd7d18737990b2a76

SHA256
7f2dbe89a58e9b36380675c985424d7425c917630e952486fec3a690f86a66b2

SHA512
8b6a7f21c15fd480e8c840a68ff94f2ac93c7f9b7fc4f3e2a6d5bacd7b13c7126b03b7c40f0824a347cb35dbea00847a405cdf8592d2e667d196895d93399570

Download Submit
C:\Windows\SysWOW64\Pfbmdabh.exe

Filesize
481KB

MD5
fb441277e5215fdff58c6bde0ba46fc9

SHA1
ad119deb7961a03dc3b8aee0d10b9fb3d7e0a8c2

SHA256
77d8cab3fb275f2f136a572aa741c2bc2369a748f6f3283b4a6232c8d732695e

SHA512
0504a0a9a8d68bbc39f3a43408c3039cea69b933b6ea1e91d0a0b3b9bf638786b3447227cbee26ab7639f8895aa02715896fefcb3096b87e71b6fa35ead02d11

Download Submit
C:\Windows\SysWOW64\Piceflpi.exe

Filesize
481KB

MD5
db26eb1d7a55c88e330dbfc6beaf71cd

SHA1
2f6c8d8bce9f646118fd848cbbfd36df8722ec4e

SHA256
46939bd583a30927e88dbf9054046c78b3cc0cb79b9542c638cecb688b4240b1

SHA512
53166e9ae86f0114695c0b34f091e6cc1454414549e6fffb12f626b61f9096436c9796fa89342f1fdc3c20488050055aadad5044a1747ba137b72dabad824472

Download Submit
C:\Windows\SysWOW64\Qmckbjdl.exe

Filesize
481KB

MD5
00e6114ed44086e7c0d4214f8f5034d4

SHA1
e8fea29e41799e1986c366206d3bb08970d48a22

SHA256
107e93e282c0cae59b1dbf5e1e4a489094e25157549c325947f0b4c204be4708

SHA512
f320bdb825c197056078625c361f2329367c34a3782df6b919cf61c0324560426a6752775a31da1abaa937cc62640d66b4097fc7480e18c6e9d68245f65ffe07

Download Submit
memory/64-676-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/64-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-684-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-682-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-707-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/728-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-699-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-674-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-680-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-672-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-693-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-678-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-701-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-691-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-697-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-703-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-713-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-695-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads