c79268b8c579c89620b92b1595d89450a8af494c427676eb5838fbb3eca7a4fb

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c79268b8c579c89620b92b1595d89450a8af494c427676eb5838fbb3eca7a4fbN.exe
Size

1.1MB
MD5

a5a2050a734fd5cb1b99575b53341130
SHA1

a182c4ff89e62a1dd32f009fdd503abb0dee588d
SHA256

c79268b8c579c89620b92b1595d89450a8af494c427676eb5838fbb3eca7a4fb
SHA512

9a49f49c817069e991dd58da7dee7575007cc89418b330f3f76cc6094d0c7a6ac0b3b459a6e217c13b7452ff1bc39700351458ccb377a5ba3efaf7ea0d4b8d15
SSDEEP

12288:l7IbrQg5Z/+zrWAIAqWim/+zrWAI5KFukEyDucEQX:qbrQg5ZmvFimm0HkEyDucEQX

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfcoblfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cehlcikj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdnelpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfogbjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klmnkdal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjdki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejobk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moalil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdebfago.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Defheg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bipecnkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaekg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clgmkbna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mociol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nconfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kocphojh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gnohnffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oheienli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcpika32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clijablo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdebfago.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdnebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecialmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ammnhilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmddihfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohqpjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apimodmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abjfqpji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfcoblfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eddnic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnohnffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnfooe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qifbll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbcbnlcl.exe

Executes dropped EXE 64 IoCs

pid	Process
4160	Bjfogbjb.exe
3196	Bbdpad32.exe
3832	Bipecnkd.exe
3164	Bpjmph32.exe
2192	Bgdemb32.exe
2076	Cpacqg32.exe
2328	Dgpeha32.exe
2500	Dknnoofg.exe
3088	Dahfkimd.exe
2616	Dcibca32.exe
892	Ddmhhd32.exe
2724	Eaaiahei.exe
3052	Egpnooan.exe
1576	Eddnic32.exe
1108	Fbaahf32.exe
3480	Fqikob32.exe
3884	Gnohnffc.exe
1272	Gcnnllcg.exe
948	Gnfooe32.exe
3896	Hnkhjdle.exe
1144	Hjdedepg.exe
804	Ibpgqa32.exe
3212	Infhebbh.exe
5080	Iajmmm32.exe
4332	Janghmia.exe
1352	Jnedgq32.exe
3728	Jacpcl32.exe
4756	Klmnkdal.exe
3664	Kkbkmqed.exe
1620	Kocphojh.exe
2092	Leabphmp.exe
3636	Lkqgno32.exe
1676	Lehhqg32.exe
4736	Moalil32.exe
2356	Mdnebc32.exe
880	Mociol32.exe
3648	Maaekg32.exe
3596	Mhknhabf.exe
4652	Mcabej32.exe
1548	Mlifnphl.exe
5048	Mafofggd.exe
808	Mkocol32.exe
4388	Mcfkpjng.exe
1664	Nchhfild.exe
2340	Ncjdki32.exe
4992	Ndnnianm.exe
1820	Nconfh32.exe
4540	Okmpqjad.exe
3976	Ohqpjo32.exe
5056	Ohcmpn32.exe
2164	Oheienli.exe
3964	Ofijnbkb.exe
4888	Okfbgiij.exe
3280	Pijcpmhc.exe
1036	Pkholi32.exe
1580	Pbbgicnd.exe
4232	Pmhkflnj.exe
3136	Pcbdcf32.exe
884	Pkmhgh32.exe
4788	Peempn32.exe
208	Pcfmneaa.exe
3788	Pehjfm32.exe
4336	Pkabbgol.exe
3672	Pbljoafi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ofijnbkb.exe	Oheienli.exe
File created	C:\Windows\SysWOW64\Pbbgicnd.exe	Pkholi32.exe
File created	C:\Windows\SysWOW64\Ammnhilb.exe	Afceko32.exe
File created	C:\Windows\SysWOW64\Dkakfgoq.dll	Clijablo.exe
File created	C:\Windows\SysWOW64\Hnkhjdle.exe	Gnfooe32.exe
File created	C:\Windows\SysWOW64\Emnhomim.dll	Mociol32.exe
File created	C:\Windows\SysWOW64\Dqjhif32.dll	Abcppq32.exe
File created	C:\Windows\SysWOW64\Pndjmkng.dll	Bmfqngcg.exe
File created	C:\Windows\SysWOW64\Ndfchkio.dll	Cplckbmc.exe
File created	C:\Windows\SysWOW64\Idbgcb32.dll	Ddcogo32.exe
File created	C:\Windows\SysWOW64\Ieaqqigc.dll	Leabphmp.exe
File created	C:\Windows\SysWOW64\Mbdpdane.dll	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Kchhih32.dll	Moalil32.exe
File opened for modification	C:\Windows\SysWOW64\Afceko32.exe	Apimodmh.exe
File created	C:\Windows\SysWOW64\Iajmmm32.exe	Infhebbh.exe
File created	C:\Windows\SysWOW64\Bifkcioc.exe	Bejobk32.exe
File created	C:\Windows\SysWOW64\Ihbdmc32.dll	Pbljoafi.exe
File created	C:\Windows\SysWOW64\Cehlcikj.exe	Cplckbmc.exe
File created	C:\Windows\SysWOW64\Caajoahp.dll	Dahfkimd.exe
File opened for modification	C:\Windows\SysWOW64\Okfbgiij.exe	Ofijnbkb.exe
File opened for modification	C:\Windows\SysWOW64\Cehlcikj.exe	Cplckbmc.exe
File created	C:\Windows\SysWOW64\Pkmhgh32.exe	Pcbdcf32.exe
File created	C:\Windows\SysWOW64\Cmphbcbb.dll	Bcicjbal.exe
File opened for modification	C:\Windows\SysWOW64\Pijcpmhc.exe	Okfbgiij.exe
File created	C:\Windows\SysWOW64\Fqkiecpd.dll	Aecialmb.exe
File opened for modification	C:\Windows\SysWOW64\Cifdjg32.exe	Cehlcikj.exe
File created	C:\Windows\SysWOW64\Dinjjf32.exe	Dbcbnlcl.exe
File opened for modification	C:\Windows\SysWOW64\Defheg32.exe	Dpjompqc.exe
File created	C:\Windows\SysWOW64\Bpjmph32.exe	Bipecnkd.exe
File created	C:\Windows\SysWOW64\Egnelfnm.dll	Eddnic32.exe
File created	C:\Windows\SysWOW64\Fobkem32.dll	Apimodmh.exe
File opened for modification	C:\Windows\SysWOW64\Eddnic32.exe	Egpnooan.exe
File created	C:\Windows\SysWOW64\Cfioldni.dll	Mcabej32.exe
File created	C:\Windows\SysWOW64\Pinffi32.dll	Ibpgqa32.exe
File created	C:\Windows\SysWOW64\Moalil32.exe	Lehhqg32.exe
File created	C:\Windows\SysWOW64\Ebcgjl32.dll	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Fbelak32.dll	Cfmahknh.exe
File created	C:\Windows\SysWOW64\Dpjompqc.exe	Dmkcpdao.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dlqpaafg.exe
File created	C:\Windows\SysWOW64\Bgimjd32.dll	Gnohnffc.exe
File created	C:\Windows\SysWOW64\Ibpgqa32.exe	Hjdedepg.exe
File opened for modification	C:\Windows\SysWOW64\Bjfogbjb.exe	c79268b8c579c89620b92b1595d89450a8af494c427676eb5838fbb3eca7a4fbN.exe
File created	C:\Windows\SysWOW64\Lehhqg32.exe	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Mlifnphl.exe	Mcabej32.exe
File created	C:\Windows\SysWOW64\Kpmmhc32.dll	Okmpqjad.exe
File opened for modification	C:\Windows\SysWOW64\Ammnhilb.exe	Afceko32.exe
File created	C:\Windows\SysWOW64\Ghfqhkbn.dll	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Kmpaoopf.dll	Hjdedepg.exe
File opened for modification	C:\Windows\SysWOW64\Lkqgno32.exe	Leabphmp.exe
File opened for modification	C:\Windows\SysWOW64\Qifbll32.exe	Pbljoafi.exe
File opened for modification	C:\Windows\SysWOW64\Bmfqngcg.exe	Bbalaoda.exe
File opened for modification	C:\Windows\SysWOW64\Dgpeha32.exe	Cpacqg32.exe
File created	C:\Windows\SysWOW64\Dknnoofg.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Qhomgchl.dll	Janghmia.exe
File opened for modification	C:\Windows\SysWOW64\Bcpika32.exe	Bmfqngcg.exe
File created	C:\Windows\SysWOW64\Jkiigchm.dll	Pcbdcf32.exe
File created	C:\Windows\SysWOW64\Fkiecbnd.dll	Cdebfago.exe
File created	C:\Windows\SysWOW64\Kdfepi32.dll	Dgpeha32.exe
File opened for modification	C:\Windows\SysWOW64\Leabphmp.exe	Kocphojh.exe
File created	C:\Windows\SysWOW64\Lkqgno32.exe	Leabphmp.exe
File opened for modification	C:\Windows\SysWOW64\Dinjjf32.exe	Dbcbnlcl.exe
File created	C:\Windows\SysWOW64\Ggiipk32.dll	Clgmkbna.exe
File opened for modification	C:\Windows\SysWOW64\Mkocol32.exe	Mafofggd.exe
File created	C:\Windows\SysWOW64\Cpqlfa32.exe	Cifdjg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5560	5348	WerFault.exe	200

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnnianm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecialmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaaiahei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnfooe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjdedepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlifnphl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfmneaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfcoblfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cplckbmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjfqpji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahfkimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkbkmqed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbbgicnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qifbll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhknhabf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohqpjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afceko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcicjbal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbalaoda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnkhjdle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nconfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blknpdho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clijablo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okmpqjad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c79268b8c579c89620b92b1595d89450a8af494c427676eb5838fbb3eca7a4fbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apimodmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdebfago.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgpeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibpgqa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maaekg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkqgno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfkpjng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjdki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheienli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijcpmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmfqngcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcbeqaia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjmph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpnooan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jacpcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qelcamcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnedgq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moalil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mafofggd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acbmjcgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlqpaafg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcabej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cemeoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmkcpdao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhkflnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimhmkgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjompqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnohnffc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdpad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkmhgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonhbi32.dll"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apimodmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaggn32.dll"	Bcpika32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dikifc32.dll"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfioldni.dll"	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edjgidik.dll"	Blknpdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lggfcd32.dll"	Maaekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncgmcgd.dll"	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kchhih32.dll"	Moalil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maaekg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlifnphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joboincl.dll"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acbmjcgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aecialmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihmeahp.dll"	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caajoahp.dll"	Dahfkimd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lehhqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dlqpaafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiinbn32.dll"	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjgnln32.dll"	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcpika32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgjlq32.dll"	Bifkcioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbdpdane.dll"	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpjompqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dahfkimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iajmmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afceko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkholi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bifkcioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	c79268b8c579c89620b92b1595d89450a8af494c427676eb5838fbb3eca7a4fbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfqhkbn.dll"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpkdlkd.dll"	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honmnc32.dll"	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqgoo32.dll"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cemeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cemeoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clijablo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkbdql32.dll"	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmoqj32.dll"	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daliqjnc.dll"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aocdjq32.dll"	Mkocol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qifbll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aimhmkgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcicjbal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpqlfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinffi32.dll"	Ibpgqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhknhabf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnelfnm.dll"	Eddnic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oheienli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdebfago.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebldoh32.dll"	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	c79268b8c579c89620b92b1595d89450a8af494c427676eb5838fbb3eca7a4fbN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 4160	2096	c79268b8c579c89620b92b1595d89450a8af494c427676eb5838fbb3eca7a4fbN.exe	89
PID 2096 wrote to memory of 4160	2096	c79268b8c579c89620b92b1595d89450a8af494c427676eb5838fbb3eca7a4fbN.exe	89
PID 2096 wrote to memory of 4160	2096	c79268b8c579c89620b92b1595d89450a8af494c427676eb5838fbb3eca7a4fbN.exe	89
PID 4160 wrote to memory of 3196	4160	Bjfogbjb.exe	90
PID 4160 wrote to memory of 3196	4160	Bjfogbjb.exe	90
PID 4160 wrote to memory of 3196	4160	Bjfogbjb.exe	90
PID 3196 wrote to memory of 3832	3196	Bbdpad32.exe	91
PID 3196 wrote to memory of 3832	3196	Bbdpad32.exe	91
PID 3196 wrote to memory of 3832	3196	Bbdpad32.exe	91
PID 3832 wrote to memory of 3164	3832	Bipecnkd.exe	92
PID 3832 wrote to memory of 3164	3832	Bipecnkd.exe	92
PID 3832 wrote to memory of 3164	3832	Bipecnkd.exe	92
PID 3164 wrote to memory of 2192	3164	Bpjmph32.exe	93
PID 3164 wrote to memory of 2192	3164	Bpjmph32.exe	93
PID 3164 wrote to memory of 2192	3164	Bpjmph32.exe	93
PID 2192 wrote to memory of 2076	2192	Bgdemb32.exe	94
PID 2192 wrote to memory of 2076	2192	Bgdemb32.exe	94
PID 2192 wrote to memory of 2076	2192	Bgdemb32.exe	94
PID 2076 wrote to memory of 2328	2076	Cpacqg32.exe	95
PID 2076 wrote to memory of 2328	2076	Cpacqg32.exe	95
PID 2076 wrote to memory of 2328	2076	Cpacqg32.exe	95
PID 2328 wrote to memory of 2500	2328	Dgpeha32.exe	96
PID 2328 wrote to memory of 2500	2328	Dgpeha32.exe	96
PID 2328 wrote to memory of 2500	2328	Dgpeha32.exe	96
PID 2500 wrote to memory of 3088	2500	Dknnoofg.exe	97
PID 2500 wrote to memory of 3088	2500	Dknnoofg.exe	97
PID 2500 wrote to memory of 3088	2500	Dknnoofg.exe	97
PID 3088 wrote to memory of 2616	3088	Dahfkimd.exe	98
PID 3088 wrote to memory of 2616	3088	Dahfkimd.exe	98
PID 3088 wrote to memory of 2616	3088	Dahfkimd.exe	98
PID 2616 wrote to memory of 892	2616	Dcibca32.exe	99
PID 2616 wrote to memory of 892	2616	Dcibca32.exe	99
PID 2616 wrote to memory of 892	2616	Dcibca32.exe	99
PID 892 wrote to memory of 2724	892	Ddmhhd32.exe	100
PID 892 wrote to memory of 2724	892	Ddmhhd32.exe	100
PID 892 wrote to memory of 2724	892	Ddmhhd32.exe	100
PID 2724 wrote to memory of 3052	2724	Eaaiahei.exe	101
PID 2724 wrote to memory of 3052	2724	Eaaiahei.exe	101
PID 2724 wrote to memory of 3052	2724	Eaaiahei.exe	101
PID 3052 wrote to memory of 1576	3052	Egpnooan.exe	102
PID 3052 wrote to memory of 1576	3052	Egpnooan.exe	102
PID 3052 wrote to memory of 1576	3052	Egpnooan.exe	102
PID 1576 wrote to memory of 1108	1576	Eddnic32.exe	103
PID 1576 wrote to memory of 1108	1576	Eddnic32.exe	103
PID 1576 wrote to memory of 1108	1576	Eddnic32.exe	103
PID 1108 wrote to memory of 3480	1108	Fbaahf32.exe	104
PID 1108 wrote to memory of 3480	1108	Fbaahf32.exe	104
PID 1108 wrote to memory of 3480	1108	Fbaahf32.exe	104
PID 3480 wrote to memory of 3884	3480	Fqikob32.exe	105
PID 3480 wrote to memory of 3884	3480	Fqikob32.exe	105
PID 3480 wrote to memory of 3884	3480	Fqikob32.exe	105
PID 3884 wrote to memory of 1272	3884	Gnohnffc.exe	106
PID 3884 wrote to memory of 1272	3884	Gnohnffc.exe	106
PID 3884 wrote to memory of 1272	3884	Gnohnffc.exe	106
PID 1272 wrote to memory of 948	1272	Gcnnllcg.exe	107
PID 1272 wrote to memory of 948	1272	Gcnnllcg.exe	107
PID 1272 wrote to memory of 948	1272	Gcnnllcg.exe	107
PID 948 wrote to memory of 3896	948	Gnfooe32.exe	108
PID 948 wrote to memory of 3896	948	Gnfooe32.exe	108
PID 948 wrote to memory of 3896	948	Gnfooe32.exe	108
PID 3896 wrote to memory of 1144	3896	Hnkhjdle.exe	109
PID 3896 wrote to memory of 1144	3896	Hnkhjdle.exe	109
PID 3896 wrote to memory of 1144	3896	Hnkhjdle.exe	109
PID 1144 wrote to memory of 804	1144	Hjdedepg.exe	110

C:\Users\Admin\AppData\Local\Temp\c79268b8c579c89620b92b1595d89450a8af494c427676eb5838fbb3eca7a4fbN.exe
"C:\Users\Admin\AppData\Local\Temp\c79268b8c579c89620b92b1595d89450a8af494c427676eb5838fbb3eca7a4fbN.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\Bjfogbjb.exe
  C:\Windows\system32\Bjfogbjb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\SysWOW64\Bbdpad32.exe
    C:\Windows\system32\Bbdpad32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\SysWOW64\Bipecnkd.exe
      C:\Windows\system32\Bipecnkd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3832
    - - C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3164
      - C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Dahfkimd.exe
        
        C:\Windows\system32\Dahfkimd.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Gcnnllcg.exe
        
        C:\Windows\system32\Gcnnllcg.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Gnfooe32.exe
        
        C:\Windows\system32\Gnfooe32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Hnkhjdle.exe
        
        C:\Windows\system32\Hnkhjdle.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Hjdedepg.exe
        
        C:\Windows\system32\Hjdedepg.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Ibpgqa32.exe
        
        C:\Windows\system32\Ibpgqa32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Infhebbh.exe
        
        C:\Windows\system32\Infhebbh.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Lehhqg32.exe
        
        C:\Windows\system32\Lehhqg32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Moalil32.exe
        
        C:\Windows\system32\Moalil32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Mhknhabf.exe
        
        C:\Windows\system32\Mhknhabf.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        45⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Acbmjcgd.exe
        
        C:\Windows\system32\Acbmjcgd.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Aecialmb.exe
        
        C:\Windows\system32\Aecialmb.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Afceko32.exe
        
        C:\Windows\system32\Afceko32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Ammnhilb.exe
        
        C:\Windows\system32\Ammnhilb.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Abjfqpji.exe
        
        C:\Windows\system32\Abjfqpji.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Amoknh32.exe
        
        C:\Windows\system32\Amoknh32.exe
        79⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Bcicjbal.exe
        
        C:\Windows\system32\Bcicjbal.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Bifkcioc.exe
        
        C:\Windows\system32\Bifkcioc.exe
        82⤵
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Bmddihfj.exe
        
        C:\Windows\system32\Bmddihfj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Bbalaoda.exe
        
        C:\Windows\system32\Bbalaoda.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Bmfqngcg.exe
        
        C:\Windows\system32\Bmfqngcg.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Bcpika32.exe
        
        C:\Windows\system32\Bcpika32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Blknpdho.exe
        
        C:\Windows\system32\Blknpdho.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Bcbeqaia.exe
        
        C:\Windows\system32\Bcbeqaia.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Cfcoblfb.exe
        
        C:\Windows\system32\Cfcoblfb.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Cifdjg32.exe
        
        C:\Windows\system32\Cifdjg32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Cpqlfa32.exe
        
        C:\Windows\system32\Cpqlfa32.exe
        94⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Cemeoh32.exe
        
        C:\Windows\system32\Cemeoh32.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Clgmkbna.exe
        
        C:\Windows\system32\Clgmkbna.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Cdnelpod.exe
        
        C:\Windows\system32\Cdnelpod.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Cfmahknh.exe
        
        C:\Windows\system32\Cfmahknh.exe
        98⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Dbcbnlcl.exe
        
        C:\Windows\system32\Dbcbnlcl.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Dlqpaafg.exe
        
        C:\Windows\system32\Dlqpaafg.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 428
        108⤵
        Program crash
        
        PID:5560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5348 -ip 5348
1⤵
PID:5484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbalaoda.exe

Filesize
1.1MB

MD5
073e81c12f8abfbfe6bf58c7a5e406bc

SHA1
b24892d501108701065e7f26d68bfe1800d74f92

SHA256
e65ce5bb8e4175e3938e5577231c2e5ab6af4a07c2ac750ad3a15dc8bb2f50d4

SHA512
d43adcc5c1c9765036f757ce6867c8afb426ef81c27ea5e3b1e5f6da4b5f840331f3d840ef3456703f10ee8c33aacef6be8ae15ffcedd1a2d4f4f230009957e7

Download Submit
C:\Windows\SysWOW64\Bbdpad32.exe

Filesize
1.1MB

MD5
7e3367e6cb7ec0092aca039de50d8878

SHA1
df18965970a46b221b98fbbf9d289a8eabbe1fde

SHA256
f58b801d9e9c76a0553bc1684d72a57541ef3e4de87d836f0f65e097e1283e05

SHA512
11bb24e69062b1fdca07b8a10115a598d3ac79cdf7f09da917e300d3e7e7077f200990b2a754efd79039a651a7734b95ae8c67116b7cc30444a873671b552ddd

Download Submit
C:\Windows\SysWOW64\Bcbeqaia.exe

Filesize
1.1MB

MD5
8c17a19234fac355855bef632623b6a5

SHA1
2505f8f78e922ad3be92070c9e0cfe4eec53c4b8

SHA256
bd89f13321c0f121a3ba394943b73f7669c4bb5f935ab3842e93fd4b7ce7fb77

SHA512
1f4dacf9557faadd72de2ffbc511c3d1aed2428b8d6783c1063619b08e63c6815b80df458e707d1da4af488da55ce8fb55f06cd9174c9254c4a5365156cfd4f4

Download Submit
C:\Windows\SysWOW64\Bcpika32.exe

Filesize
1.1MB

MD5
4a3687e5aeb35fc450fb0a9018e890ad

SHA1
2929c897bd2a5a11184d9fbdca313e71effe8c95

SHA256
4e7cd684d39e8309c13146550f4c7da2b708f2952a3f3aff0c80a928d4971e09

SHA512
2ca72178ffdbb2ece16128eace7070e86520e91b3f9e72cee94cfe3827712e26ea27785531ee0ed6b301f2fcc62821f6d3daa3efa0783b56a41101b48bec5615

Download Submit
C:\Windows\SysWOW64\Bgdemb32.exe

Filesize
1.1MB

MD5
dc336a16d37e8f787d315ef13b7740ff

SHA1
9662fea90b729b4f72faf7836569e173df3ec2fd

SHA256
894237d73806a18329b193efd6abc3c42b40a0a83f8bcf4df4a68e90c9046618

SHA512
36264901a7634d7a4f3e6afec8163dd47bb02aa9fda5afc32acef9937e442ce194e1566b977444a6ee5173e8fe66c6829d990c0806f45437fa3f19c3c0022616

Download Submit
C:\Windows\SysWOW64\Bifkcioc.exe

Filesize
1.1MB

MD5
fe8b768832b540af31512923d9ac1613

SHA1
4acd057270819f9d59894838ef57276c35f447cd

SHA256
804ef0651970c2610b0bb3bb2cf2a9ca2b3ebc729883ad88fbc91064eb92dc17

SHA512
e17ac74bb812da2812ab8f24abef6febdeed3059d3cd644b8aea481e0d4951039742e28c96313fa4842e130eb0d829b31d87367049b723d3886d57f9ef4515a5

Download Submit
C:\Windows\SysWOW64\Bipecnkd.exe

Filesize
1.1MB

MD5
b05204e1f868acd21e6be47d269bfef0

SHA1
7f570e2e472b51003231735415e975c79549f466

SHA256
566c3d065a518654824b8c087d7f53bc0750eca8273a52c81e3f3f67334e4b36

SHA512
03747e66c5fd0fcf483dec1b40adde533c931f1a7d7173afdcec3a6b47d78d985dc80f536e67167decadd1703be91db326e33dfe7360fe4583ff2d89d12ce4b8

Download Submit
C:\Windows\SysWOW64\Bjfogbjb.exe

Filesize
1.1MB

MD5
59f24c1318174c2d39ec9c38530abc1c

SHA1
7c8cda8bcae61eb6ccf3c11b09ec3325c922e970

SHA256
62974da90fb40a711b0ab0eb70348e6909b84b3e86df22a658c25187d8f3b947

SHA512
2d8f004980461f9b614beb96a600bfbade7f4fe7bc0902bb9011d0dad36a3b3225b7c89de72fe83583a499452731a146009d1b3f8c51216948aa881361d18e40

Download Submit
C:\Windows\SysWOW64\Bpjmph32.exe

Filesize
1.1MB

MD5
a284a3adf1f881bde55d8269d07d8eea

SHA1
d033651456e8345e9bfd7908803dd24cc6880dff

SHA256
cd452d7752622a4daca4a0bb6f49fa4098da678013ee0dd636e7caacc33fb35f

SHA512
69309e81e0ba7d23a3d7f195051700b1b2c4ca8cbb04820372b18c4df028934ae011f79a5246a13d2dd447300411ffde459e658c359c1fc007e4c7d957c36747

Download Submit
C:\Windows\SysWOW64\Cehlcikj.exe

Filesize
1.1MB

MD5
2bae06fb1fa2e8af7b20e03b9ac86963

SHA1
5c890f79edb2bf8f9ddd0bc2732dea1c577b65ef

SHA256
584b714cf77e3f18d8ccf1154c2501b7dbc961d294455a5c9428f053fdc9f8be

SHA512
0781643752aad5b10e30e03013cda67e5ab15b4c8cbea36dc5b07da73de161a2fc4de534e18805a9e88a0526c68035c7224cce03ac2943b462126eb2bc380ea5

Download Submit
C:\Windows\SysWOW64\Cpacqg32.exe

Filesize
1.1MB

MD5
21b4637e45e285a42991b12ac696cb00

SHA1
b6e1aa9a0e4d4c34b4f63d46ca01bcbc75fae1d1

SHA256
6503c7a9cb2fc6ef981aeaa883785b186cfc4600f9836fdcf15c2d2b5835dd8a

SHA512
0b72d7791ef9271cee3a121b973f0394f76f4c736945d74a43e6f10e8bc26fcb170bb91c674f7abc4888b5b75f831ef596388af1c14d35bbd2d8093f909622cb

Download Submit
C:\Windows\SysWOW64\Cplckbmc.exe

Filesize
1.1MB

MD5
aa98f9ca099b743118442c7eb3b45b44

SHA1
feca7ad9951241bbb9b6df07100cbb67fc09e94d

SHA256
469807c9b49b5d42e78dfefd405d2663907b5da24ba1c15698245406f7dd5531

SHA512
524b4192bae41ab8755a97798bfdfd68145dc3e45b1c9c0ed387edf10bfb137af021f5433f64e87682a222a169cff33a693d930881892d64315cfd7ff8971c31

Download Submit
C:\Windows\SysWOW64\Dahfkimd.exe

Filesize
1.1MB

MD5
46e1d8fe68721c996c10186707d55307

SHA1
10719997a7a66e27d80fe7833703d494c6048e44

SHA256
328af7333dcb2764bca2348dfae5dfc90c27dff4c7ef1be432d3da234d9c2c5f

SHA512
d5df293d2288e7b31344e93fe88469ec9637dbfd947da890724cbe9e772cbbac30e13d619921656b02ef69f5368b2074803679fc88a1a3f443894164d1193eef

Download Submit
C:\Windows\SysWOW64\Dcibca32.exe

Filesize
1.1MB

MD5
8e20a456d274ccaf25edee1519692ebc

SHA1
f8dde6d40a78529bff89c09a491137630abf5e65

SHA256
83cbfcddcc34ef5dfcb94bcf319608c6a400e13b62f13b323ec79615796a6c7c

SHA512
b3deaf8904616206b21a9ab497658d3c719bf72ac275c73d920f9caf994fc64febbc02346d121040bce20f07a533fad78c054ab3ee8cf23233c1ee9b16635db1

Download Submit
C:\Windows\SysWOW64\Ddmhhd32.exe

Filesize
1.1MB

MD5
fe74428b772741668672824b376965b2

SHA1
c766b0bd2af6339d7e771122b14302f0ebe57a92

SHA256
e4d9794af830e22987ca79d73b9b4e7e440de6b574dd1b982efe3406f38b9b70

SHA512
3cd639fabe805a4bea6ee23991bfedaa300fb1765f97f9d0051bebd581f194b7bc17a01a603a3c3dcffd10b83bf7261f5177537ad5de825de1bd7d6015ecf5c7

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
1.1MB

MD5
c0f3637dd3a021e265eb92f236315250

SHA1
4c67bac3e0d94bc8670e2fe80ed3f5069de6bcc3

SHA256
808ec6533e3b1098aab8859518ccac71882b9d5257470615d0c60ffae899a74a

SHA512
d51e9840aa624b25d8c7a8c54a2a1815b160b109207fbcbda3ef3f0f426d02a9444c1935341ac7960b8dd564bec7b2ae8244c29b8524e61554aec12a88fe389f

Download Submit
C:\Windows\SysWOW64\Dknnoofg.exe

Filesize
1.1MB

MD5
1441613d958e9245ea5722cf71e3fcc3

SHA1
8e332747145075added1a80948befe93e78f77bc

SHA256
8051280faf5e5254545717ad19aa216841d564e8e9c7c14e094d897dce71d654

SHA512
abdbfff476179441be6538c26cebb3cdd59b5ad87e79aaea511ca1097071d2b431536dada9a6e77a50724f0c5fce2f24b25ea66df3f8ef10746d16781aea8eec

Download Submit
C:\Windows\SysWOW64\Eaaiahei.exe

Filesize
1.1MB

MD5
61cdb245d9d9409e2f0f159ca57604aa

SHA1
abc91c10cc87ebabd3dc6a186c9a5f914a70450d

SHA256
b7e645916f57011aff2087f618c723113d908343f2bb601691f60de3009b0f8a

SHA512
64b34d3ddadc6c0f6ff33ece88e8a534ad9663b7c967716881aaf08899684e98da0b634e80b25167139f50fdf4afcd753df4374f6e59841554be0a775ff958a3

Download Submit
C:\Windows\SysWOW64\Eddnic32.exe

Filesize
1.1MB

MD5
49a63fab73a52d1d26edf5249d6957d1

SHA1
f78ecc10dd1061e22070a5bca09ab8e5189a3d85

SHA256
d61584deb9084a8ef3d50298741bbb52655b14f3dd8c167ec6c3e2f8716df96b

SHA512
d271e8110fe4b97fe3543c79e26fb1b85458b25cee83a5b22fca1bb759d54bf571fbda7116615aa072ddb01447eb5064edddea88032a1d0b92e930b6678c4dd7

Download Submit
C:\Windows\SysWOW64\Egpnooan.exe

Filesize
1.1MB

MD5
2590806c7eb37bea5106fe7a8e43b04e

SHA1
db0aae468c95d52465b66927f77c6e2ed70265fa

SHA256
27646b4624b8fe48777670cbc6b7bda310eff1babe51bd424b89eadd41ac79b2

SHA512
e449e2b212c1624bcdda14ed907f47ebf09001b24883d730db320bd458789d5db0bb527aff1460948d54be3a7dfb0078b30e6c70ea84835603f8bcf69ef22977

Download Submit
C:\Windows\SysWOW64\Fbaahf32.exe

Filesize
1.1MB

MD5
138a6ea9a0a432b5fa3a678ab990f1ba

SHA1
de1475a18ea94d750cfb200b5c4de6b40f4bf385

SHA256
755ff75ddf5e404e097524d685ab76c3a96263fdbe22c516d88fda5eaac629a3

SHA512
88f28e97d7a7ea4b67c6e5039dffcfd9df5f289f5bca9b2a46e88587a608ffdb0ce27088dc4e04bbd3fe27027bcb94121d1aa021b9db2eb50e9644c48336fc34

Download Submit
C:\Windows\SysWOW64\Fqikob32.exe

Filesize
1.1MB

MD5
66e55be975357e680e13330016457205

SHA1
f1be7e9cd90e818cd3891b3bf30ab55b67886e38

SHA256
52ff8482fd2d6eda88252d26c6475bfd8eaf6260a0d539df5ef42f074325b168

SHA512
38871d191997eb6dbf41067578d2acf9ff084c6d1f2aa38a35380416463b5a580bc72a23f5c63689d586ef55b6d997996b62420dddb84d1182ea4272e89bb3c4

Download Submit
C:\Windows\SysWOW64\Gcnnllcg.exe

Filesize
1.1MB

MD5
0ea600fcfca9bac26e3311913d6f8c94

SHA1
62339052c78e56879edb4d018eaed505531678be

SHA256
970ba69e6820e07331b6d9630c08bd8ac44b31a9eca4a1c2e4e21541dc5ad293

SHA512
2e50e8b840271f17c0f7726d266d5c2f282f5411e8e5f3106201a63775e24458b1b6dbf1a789a86ef9e152326eb80c8ce60893b6ed0df9762f9a18fb4e5e7089

Download Submit
C:\Windows\SysWOW64\Gnfooe32.exe

Filesize
1.1MB

MD5
6f9ce6ddc454f450c4221372701b3340

SHA1
4aa7d301811ae008dc3c96f6c288ce9a5a87bef7

SHA256
c3ce2cd5dc3bf4038abaccfdb72cb10e8f18939e3a9100d67a859bcebc40b01f

SHA512
6b367dbd821cee88ac23f5a5cddb6aa1310c9ad04c951542e868ef65f7d6ffc5f6a48f3c825c7ac42bf4c472cc6beb26d385580e9d1432dc3fca3ec0df4cb646

Download Submit
C:\Windows\SysWOW64\Gnohnffc.exe

Filesize
1.1MB

MD5
a3b5dfc7dfddec1eb387bff8076ce5d1

SHA1
27850c6c90db91da0b3c3d1ea2bebf0923803e1d

SHA256
fb4ad352da7523a046cc8c8ab5d2a28b179c25d29306898857451d32316c7831

SHA512
392f289c17b981c2a6b98dba5d3ec98501ec4a7953cdf9b8e8db0edacbca3e3b7abb0832f035e508e9dc67c05b5d20e7cc50c6a9c2b27f72bc1947ff48f6d15d

Download Submit
C:\Windows\SysWOW64\Hjdedepg.exe

Filesize
1.1MB

MD5
c603c987e35afe0aa493996aedc9097e

SHA1
10daab88e556b4622bd4c43c80c3db1bc7e7db08

SHA256
33bea157033d9b1d5ee2029d6b3cff8f491664166f93deee6adb2298d1f6b66c

SHA512
d9f0c9de254e323f23f3dfdbca135402db82289f35c18bad0fab695792ab3f8e4bd5196353ba4851a87c93fa942aa1f848b537d01ac1b1ba92003fb421e159a9

Download Submit
C:\Windows\SysWOW64\Hnkhjdle.exe

Filesize
1.1MB

MD5
ae88646ca0d618f95e6436fe4a6457b3

SHA1
8ad002ea7776c3c387381776144a3141160383d6

SHA256
f55aa7fc23fc13c3b5d0d4b8beed7bb98879d7d6db96a3a52e9adb61c0b95a08

SHA512
50db58703df599bd774fa63e90322a1666730483ea3fc4a167d92561d4fc251ff255e5524009d0c45d31314d35d3745b82956e090cbf4711471c53d3b0499ac7

Download Submit
C:\Windows\SysWOW64\Iajmmm32.exe

Filesize
1.1MB

MD5
80967a95a6b42321322feb0a613d5ef9

SHA1
846539574246722057a133c76b3905ce6c7b836f

SHA256
677847185990f409d05fd6820c6cdccdde685ddf4c251f372180ff10c2c73e8e

SHA512
c1d1df982c975c70309f14bf25d2a43dcd091a140acf5327e30abb3552638278547c5528257d9fd4fcc3c99b886094969826b94ac7897ac386ad98ea19520589

Download Submit
C:\Windows\SysWOW64\Ibpgqa32.exe

Filesize
1.1MB

MD5
feaf9f9f542c4b633fd31f9cc527ebc4

SHA1
438c85b3afcb17bd4812907b30d51ff2a9dc8520

SHA256
aff10a3585e483521d3bae30432082c9461b48c124957f1e16edf25f42db9b9b

SHA512
1945d7cd2e796139d16ece534d2a85442616a36054fefa47fa763bc3cf124ec558bcebd6b887ea763e8d7669b5566bd7f6576a443d231154da8397fb6efa4b10

Download Submit
C:\Windows\SysWOW64\Infhebbh.exe

Filesize
1.1MB

MD5
c3e5ee967496fe12c0c66927d417a64d

SHA1
9aca9d2b5c20d7afc434868bd0454388312b64b8

SHA256
b924746169e307a0c760da57534f517821d57bf3bb687cd8af67ff5f12ce1c15

SHA512
ac814ae3fa05f8a34cc0ec7168eb88d95d0ef3c537d93b2fe5b4d759b7a16cf157deeb9233767a096988c48bc5b57d2a329a00a4f1f8999d5953c7dfd4a29926

Download Submit
C:\Windows\SysWOW64\Jacpcl32.exe

Filesize
1.1MB

MD5
e0d881494b48f130e7ed59d61fb2f18b

SHA1
23b3d06d0f190646f7afcf5ec540d0639549701f

SHA256
ad0b9b14869e0b76d26a60d1de159fc00b75beb357315a5cdd1b39a0d9006a1f

SHA512
f1bdd2f37fd19eca72ecfbf60d2aa70390a093f1ffed0d3012a76445278c40053f6539f2df3b1e2d27d229c7d7b52ed85dfe3645da2d6ddaf4ddb670290ea4cb

Download Submit
C:\Windows\SysWOW64\Janghmia.exe

Filesize
1.1MB

MD5
fafc60097fba8ba64833c138543355a9

SHA1
e84082ea27bb74d8fbba48dc1b4f73c7dca28422

SHA256
bfd1930643cfca8515c2e61e0206ab19b7d9dbe148feb4e361229f3e5ecc13ec

SHA512
761c5dee13e6a7c7b649ff5d61beb11ec1122a1d5eea9d84af859fc90eef17deb6590ab94ab424a9c9bfa5f514f466eeb9ada1c9b9fae31cf3bc5fc9e8318d0d

Download Submit
C:\Windows\SysWOW64\Jnedgq32.exe

Filesize
1.1MB

MD5
6282967f7cda810d980bb13ddb3417aa

SHA1
74707e1b5dd1c3318aa07ecf6b270d3c3ac842b9

SHA256
f53c523464e22815198f282d8409e4b2ab3f920e4be4055dad9a43ee733e89f2

SHA512
ee428b0f3c7b17e209dc31994bc57e55c94345bf113ff529c46b8cdb199e40203df99e24ea5f3cbda426e186adf25f1a14b7cd0a8c0a2206fd2ead196e02795b

Download Submit
C:\Windows\SysWOW64\Kkbkmqed.exe

Filesize
1.1MB

MD5
486bc82369f9f1eec22afcddb55ada98

SHA1
469d5b2866c0c5231f677d2677623bf9c10f1997

SHA256
eea2dfdf5a6292352c44340bfd8719b8ffb7601409aae4623fa33bc17e8a4c30

SHA512
d9aec3f77b031460ecd518f3d5d2cff5eb0f87d01c972f1f004c461d4d8b2b2c7091961e38f4c433c14f7badc38b2ec07b419c103209d1f118fc75e75fd9e49f

Download Submit
C:\Windows\SysWOW64\Klmnkdal.exe

Filesize
1.1MB

MD5
0dc9aa213e4b36a21e971ea5152e5c68

SHA1
9cdbc81df24a6514c4a0dafb000caeaff4ddab89

SHA256
609d848e6ddb4cbd78a29a7076809ac320cd05a18f55ce0e13c42b68b323b65e

SHA512
d959e5631c49225bd12583b7438140993c70915651048a5b9b3245144d8d74df55f5a373efdc81b64630aa8c772b32d9cc422b5964f44d9f29f9ff9845f35d74

Download Submit
C:\Windows\SysWOW64\Kocphojh.exe

Filesize
1.1MB

MD5
fddf957aa04f2b0c1f0071c916089a4e

SHA1
49ad29b7d979600a4e5e67ab762834f0bceef9d9

SHA256
b114f4721209b2329c183cf16d258dc83d43a7f48a06126596a3e17be38cda4b

SHA512
235f6065e60505adb8ac8896e722be2cfae802a1226cd1f12aaf01fc7897b7f2dc12e1a90a70c8451cd223dc32ab9eaf41a9cf53cd4e4499928f220c1cfaa7e4

Download Submit
C:\Windows\SysWOW64\Leabphmp.exe

Filesize
1.1MB

MD5
eca31fdc74c650b64858d2d14e2c37dc

SHA1
e9c99a923e57596082b76f8f85dfebd8dffa01a2

SHA256
90caf986f65507f818d85153142ccab9e2c31700eae4182171b0d2cf19716fc6

SHA512
0827e017d6199989cfd8b1c64cd167e7372c98373e9e01544670901fc5fa103a6c6d7f6478ff36eb64cf9cf5959a86109ecb2ffa08ae3e7074c1a44490c6806a

Download Submit
C:\Windows\SysWOW64\Lkqgno32.exe

Filesize
1.1MB

MD5
c9a09e3aa62ce8e52ddfcf4ef074be43

SHA1
7680fcf38f5dc19d3e01ffbdfdfdb73329569594

SHA256
21895810bf9263be4c90b04f42ed6df6bb0d15311fcca68521f8bbeed5dc9f8d

SHA512
44db7b0c048bde581576ea410e241408500faef3663ee8571484f0854abd6e19c632e81476929ffd60b25ddb23af1df5701679ad964f08bd1be722dbf898fdb3

Download Submit
C:\Windows\SysWOW64\Mkddhfnh.dll

Filesize
7KB

MD5
d304c2b05215f8b2fccd43b73e35cd49

SHA1
c10d511b0a4fe623b1d0146030bfc14361a4efb7

SHA256
d4d881d8097df2be7ab087bdc1592c1e759b23586fcc21e84d957737dc2fa78f

SHA512
3dc7be1c1396313e83e9a1e445606e7c9ef23e7cf94a8f449fbcb284531215051a8fdc18057bd5c2a4dd4283ab9cca67fc72658908bc9f4ce87bd46d34e5e630

Download Submit
C:\Windows\SysWOW64\Ncjdki32.exe

Filesize
1.1MB

MD5
9acf7617fbd2ecfa13015d89e3241514

SHA1
3604589404d5a2f0e53335da80d6c31588df380d

SHA256
a324a94bce10db41aa6c88f26b667428e2deb57be90e41916f907f6bb7914482

SHA512
4a8ccd744e983acbfa32ec5f972d92df2c0b94ecf482d502fff82f0013249de572a6879bd5668a33e5a2082a4b491e20f5088cb1d9d1c95051a89048d46c937c

Download Submit
C:\Windows\SysWOW64\Ohcmpn32.exe

Filesize
1.1MB

MD5
6154fb445e79adf73833430b72048176

SHA1
2d1c22c794191796d6f070ba74bc3392e3d1acbd

SHA256
dff6f58ef410d3c27e24fc4381e659f247b1366f7417d1982fc27f3974564ac0

SHA512
64065c3dd6ed2c12578493413aec2d556e82c18e244ad37eb1677239f5f604dc7d25ab3bc348f5bc63350ae7c2ab21d4d5532b5b6bbab70c3e2fa36fbdcc3dcf

Download Submit
C:\Windows\SysWOW64\Pbbgicnd.exe

Filesize
1.1MB

MD5
f82f0b37a0cc6d8cd56502c086754ed9

SHA1
5fe35bb3a88f1a347146ab1738f9ca45f3ad8642

SHA256
9732878fb50760c8b6870d115ecc408f7a334703883bfbe548a6977cbee1d922

SHA512
8c3e2b4d2a00e2fc92c6066bb4c32346289df1a240783aba708848d732a4833a661029588aed543b21ce5359d33707b4c39fa80396a1a40059c3cc6eb54e2984

Download Submit
C:\Windows\SysWOW64\Pkmhgh32.exe

Filesize
1.1MB

MD5
6c665e585026ec1ecf38f38f6c58378d

SHA1
288ac43b7336097a5feae0e1d12a549717e258b6

SHA256
94157da284f4961fd2374c95c5948b0f467672198d633be03fd21354145f419f

SHA512
58a017d87f8a3d9c7ac58361e1c7245edf892ae6f456fdbf3525a938478084556b15f58dc932b432303843249de36f7b0d5a515e53de4011ec89f6ca8eba15e5

Download Submit
C:\Windows\SysWOW64\Qifbll32.exe

Filesize
1.1MB

MD5
905c5a18711fba514a7a003f02065681

SHA1
e715f294d295b9f70d0e9ec5aef8dfd72ac1f011

SHA256
5f9181080fe1403654a2b6ca4edffc1a4d02d1bff51fe50a2a85aba39f728b4a

SHA512
d13fd41a9d9001ef37d998baa9230927262a08f31573fa0204db5022dd5ffc3d32a0549af7b64e5c391a924412150a6deabc13a7722fb2219466e84c31702666

Download Submit
memory/804-188-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/804-276-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/808-351-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/880-374-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/880-306-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/892-91-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/892-177-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/948-160-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/948-249-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1108-125-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1108-213-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1144-267-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1144-178-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1272-152-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1272-240-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1352-228-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1548-402-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1548-333-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1576-116-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1576-204-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1620-259-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1620-332-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1664-429-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1664-361-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1676-285-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1676-353-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1820-382-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2076-133-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2076-47-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2092-268-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2092-339-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2096-79-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2096-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2164-410-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2192-124-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2192-40-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2328-141-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2328-56-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2340-368-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2356-367-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2356-299-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2500-150-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2500-64-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2616-168-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2616-80-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2724-98-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2724-187-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3052-108-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3052-195-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3088-71-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3088-159-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3164-36-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3196-97-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3196-15-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3212-284-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3212-196-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3480-224-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3480-134-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3596-388-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3596-319-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3636-277-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3636-350-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3648-312-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3648-381-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3664-250-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3664-325-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3728-232-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3728-311-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3832-28-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3832-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3884-231-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3884-143-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3896-170-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3896-258-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3964-416-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3976-396-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4160-89-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4160-8-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4332-298-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4332-215-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4388-354-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4388-422-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4540-389-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4652-395-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4652-326-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4736-292-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4736-360-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4756-241-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4756-318-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4888-423-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4992-375-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5048-409-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5048-340-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5056-403-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5080-205-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5080-291-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads