eb7cb3ad6c19fa47b5bab8b23ef8d042444b8efd77be1fc1508a50b6548a9035

Analysis

max time kernel
116s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb7cb3ad6c19fa47b5bab8b23ef8d042444b8efd77be1fc1508a50b6548a9035N.exe
Size

56KB
MD5

be1268d0ae1f2b9ab5007c1567e25f40
SHA1

de78ba212d96ced6256e242dc1fa6bb399540562
SHA256

eb7cb3ad6c19fa47b5bab8b23ef8d042444b8efd77be1fc1508a50b6548a9035
SHA512

fec0f47d91f5ff247b0f753aff8552003d70aeb7fdc1195b436157cbb3d8cf41a946d15308bc3503888ce515d8babb5afefa8633ac919a271d20ed75d0888f7e
SSDEEP

1536:lz/KtHkKMd5jnXMSDqoy4OcwPmlvxKuieHKHFAyxP:pSHMPXHGpDuRmP

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nooikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidfpki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkled32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iagqgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlidpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkapelka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlgbon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocmjhfjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdngpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijpepcfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iajmmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odedipge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poidhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apddce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iloajfml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmaai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhjjip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkled32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqpbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocphojh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qppkhfec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igjbci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdopjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabglnco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iloajfml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlidpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lojfin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcoepkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfppoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Indkpcdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhgmcp32.exe

Executes dropped EXE 64 IoCs

pid	Process
4016	Hjolie32.exe
4948	Haidfpki.exe
1828	Hgcmbj32.exe
4724	Hbiapb32.exe
3968	Hcjmhk32.exe
860	Hnpaec32.exe
4024	Hcljmj32.exe
1228	Hjfbjdnd.exe
3952	Iapjgo32.exe
2408	Igjbci32.exe
3624	Indkpcdk.exe
1188	Iabglnco.exe
4236	Ijkled32.exe
3376	Ieqpbm32.exe
2628	Ilkhog32.exe
1920	Iagqgn32.exe
2972	Ijpepcfj.exe
3240	Iajmmm32.exe
3856	Iloajfml.exe
5080	Jbijgp32.exe
1084	Jlanpfkj.exe
2188	Jblflp32.exe
4580	Janghmia.exe
1092	Jbncbpqd.exe
3404	Jdopjh32.exe
4420	Jnedgq32.exe
4604	Jacpcl32.exe
1756	Jdalog32.exe
4080	Jlidpe32.exe
4520	Kbeibo32.exe
4816	Koljgppp.exe
3904	Kehojiej.exe
3528	Kaopoj32.exe
2676	Kocphojh.exe
3020	Kdpiqehp.exe
4508	Lhmafcnf.exe
4644	Laffpi32.exe
3760	Lojfin32.exe
2644	Llngbabj.exe
2764	Lefkkg32.exe
4800	Mlbpma32.exe
2336	Mcoepkdo.exe
2488	Moefdljc.exe
1260	Mepnaf32.exe
1408	Mddkbbfg.exe
3316	Mojopk32.exe
4460	Mdghhb32.exe
2612	Nkapelka.exe
4012	Ndidna32.exe
4140	Nooikj32.exe
3752	Nhgmcp32.exe
4076	Ncmaai32.exe
2036	Nhjjip32.exe
4528	Nkhfek32.exe
2724	Nbbnbemf.exe
3328	Nlgbon32.exe
4996	Nbdkhe32.exe
2976	Ohncdobq.exe
560	Oljoen32.exe
2964	Obfhmd32.exe
2196	Okolfj32.exe
2984	Obidcdfo.exe
2160	Odgqopeb.exe
4660	Okailj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ocmjhfjl.exe	Omcbkl32.exe
File opened for modification	C:\Windows\SysWOW64\Qcncodki.exe	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Hgcmbj32.exe	Haidfpki.exe
File opened for modification	C:\Windows\SysWOW64\Oljoen32.exe	Ohncdobq.exe
File created	C:\Windows\SysWOW64\Gcdfnq32.dll	Odedipge.exe
File opened for modification	C:\Windows\SysWOW64\Jblflp32.exe	Jlanpfkj.exe
File opened for modification	C:\Windows\SysWOW64\Okolfj32.exe	Odedipge.exe
File created	C:\Windows\SysWOW64\Cogcho32.dll	Pfppoa32.exe
File created	C:\Windows\SysWOW64\Qbngeadf.exe	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Dqjhif32.dll	Apddce32.exe
File opened for modification	C:\Windows\SysWOW64\Hjolie32.exe	eb7cb3ad6c19fa47b5bab8b23ef8d042444b8efd77be1fc1508a50b6548a9035N.exe
File created	C:\Windows\SysWOW64\Pjpjea32.dll	Indkpcdk.exe
File created	C:\Windows\SysWOW64\Oapijm32.dll	Ieqpbm32.exe
File opened for modification	C:\Windows\SysWOW64\Ofgmib32.exe	Okailj32.exe
File created	C:\Windows\SysWOW64\Pcfmneaa.exe	Pmmeak32.exe
File created	C:\Windows\SysWOW64\Pomncfge.exe	Pehjfm32.exe
File opened for modification	C:\Windows\SysWOW64\Jdalog32.exe	Jacpcl32.exe
File created	C:\Windows\SysWOW64\Bkjbah32.dll	Kaopoj32.exe
File opened for modification	C:\Windows\SysWOW64\Obfhmd32.exe	Oljoen32.exe
File opened for modification	C:\Windows\SysWOW64\Lojfin32.exe	Laffpi32.exe
File created	C:\Windows\SysWOW64\Ndidna32.exe	Nkapelka.exe
File created	C:\Windows\SysWOW64\Pofhbgmn.exe	Pilpfm32.exe
File opened for modification	C:\Windows\SysWOW64\Igjbci32.exe	Iapjgo32.exe
File created	C:\Windows\SysWOW64\Jbncbpqd.exe	Janghmia.exe
File created	C:\Windows\SysWOW64\Kbeibo32.exe	Jlidpe32.exe
File created	C:\Windows\SysWOW64\Bbndhppc.dll	Pdngpo32.exe
File opened for modification	C:\Windows\SysWOW64\Poidhg32.exe	Pmjhlklg.exe
File opened for modification	C:\Windows\SysWOW64\Qbngeadf.exe	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Hcljmj32.exe	Hnpaec32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqpbm32.exe	Ijkled32.exe
File created	C:\Windows\SysWOW64\Olkpol32.dll	Llngbabj.exe
File opened for modification	C:\Windows\SysWOW64\Mepnaf32.exe	Moefdljc.exe
File created	C:\Windows\SysWOW64\Eknanh32.dll	Nhjjip32.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Aimhmkgn.exe
File created	C:\Windows\SysWOW64\Iabglnco.exe	Indkpcdk.exe
File opened for modification	C:\Windows\SysWOW64\Iagqgn32.exe	Ilkhog32.exe
File opened for modification	C:\Windows\SysWOW64\Iajmmm32.exe	Ijpepcfj.exe
File created	C:\Windows\SysWOW64\Mdghhb32.exe	Mojopk32.exe
File created	C:\Windows\SysWOW64\Pdgfaf32.dll	Nooikj32.exe
File opened for modification	C:\Windows\SysWOW64\Ncmaai32.exe	Nhgmcp32.exe
File opened for modification	C:\Windows\SysWOW64\Ohncdobq.exe	Nbdkhe32.exe
File created	C:\Windows\SysWOW64\Qkfkng32.exe	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Hcjmhk32.exe	Hbiapb32.exe
File created	C:\Windows\SysWOW64\Koljgppp.exe	Kbeibo32.exe
File opened for modification	C:\Windows\SysWOW64\Kocphojh.exe	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Hlkjom32.dll	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Apddce32.exe	Qcncodki.exe
File created	C:\Windows\SysWOW64\Haidfpki.exe	Hjolie32.exe
File created	C:\Windows\SysWOW64\Janghmia.exe	Jblflp32.exe
File created	C:\Windows\SysWOW64\Eiebmbnn.dll	Nkhfek32.exe
File created	C:\Windows\SysWOW64\Dpchag32.dll	Ijpepcfj.exe
File created	C:\Windows\SysWOW64\Okolfj32.exe	Odedipge.exe
File opened for modification	C:\Windows\SysWOW64\Pofhbgmn.exe	Pilpfm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdghhb32.exe	Mojopk32.exe
File opened for modification	C:\Windows\SysWOW64\Nhgmcp32.exe	Nooikj32.exe
File created	C:\Windows\SysWOW64\Ofijnbkb.exe	Oooaah32.exe
File opened for modification	C:\Windows\SysWOW64\Ijkled32.exe	Iabglnco.exe
File created	C:\Windows\SysWOW64\Ckdlidhm.dll	Jbijgp32.exe
File opened for modification	C:\Windows\SysWOW64\Llngbabj.exe	Lojfin32.exe
File created	C:\Windows\SysWOW64\Nhjjip32.exe	Ncmaai32.exe
File opened for modification	C:\Windows\SysWOW64\Oooaah32.exe	Oheienli.exe
File created	C:\Windows\SysWOW64\Poidhg32.exe	Pmjhlklg.exe
File created	C:\Windows\SysWOW64\Hnpaec32.exe	Hcjmhk32.exe
File opened for modification	C:\Windows\SysWOW64\Indkpcdk.exe	Igjbci32.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijkled32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iagqgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbijgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lefkkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimhmkgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcjmhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieqpbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moefdljc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhgmcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcoepkdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb7cb3ad6c19fa47b5bab8b23ef8d042444b8efd77be1fc1508a50b6548a9035N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjfbjdnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Indkpcdk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iabglnco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijpepcfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jacpcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbiapb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdalog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlbpma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbnbemf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oooaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjhlklg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Haidfpki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koljgppp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaopoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mepnaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohncdobq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okailj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okolfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgqopeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdopjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnedgq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlidpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojfin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mddkbbfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nooikj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofhbgmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igjbci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kehojiej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhmafcnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkhfek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oljoen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Janghmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeibo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhjjip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obfhmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obidcdfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheienli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbncbpqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndidna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmaai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcbkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcljmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilkhog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkhfec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcncodki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iloajfml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llngbabj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nooikj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocmjhfjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbngeadf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Aimhmkgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlbphhk.dll"	Mlbpma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhmafcnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncmaai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkhfek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codncb32.dll"	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomqdipk.dll"	Kehojiej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjbah32.dll"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	eb7cb3ad6c19fa47b5bab8b23ef8d042444b8efd77be1fc1508a50b6548a9035N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldqdebb.dll"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdfnq32.dll"	Odedipge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbbnbemf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloojfj.dll"	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pomncfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iloajfml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Moefdljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcboj32.dll"	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epqblnhh.dll"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okcfidmn.dll"	Ncmaai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlidpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbmdj32.dll"	Ijkled32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfidek32.dll"	Lefkkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhjjip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkhfek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odedipge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljloomi.dll"	eb7cb3ad6c19fa47b5bab8b23ef8d042444b8efd77be1fc1508a50b6548a9035N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbobjbh.dll"	Haidfpki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daliqjnc.dll"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidfpki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifiamoa.dll"	Mepnaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkapelka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpijjbj.dll"	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iilpao32.dll"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbejblj.dll"	Hgcmbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkjoj32.dll"	Jdalog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdlidhm.dll"	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laffpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbdkhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidfpki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahlk32.dll"	Igjbci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Podkmgop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 4016	4108	eb7cb3ad6c19fa47b5bab8b23ef8d042444b8efd77be1fc1508a50b6548a9035N.exe	89
PID 4108 wrote to memory of 4016	4108	eb7cb3ad6c19fa47b5bab8b23ef8d042444b8efd77be1fc1508a50b6548a9035N.exe	89
PID 4108 wrote to memory of 4016	4108	eb7cb3ad6c19fa47b5bab8b23ef8d042444b8efd77be1fc1508a50b6548a9035N.exe	89
PID 4016 wrote to memory of 4948	4016	Hjolie32.exe	90
PID 4016 wrote to memory of 4948	4016	Hjolie32.exe	90
PID 4016 wrote to memory of 4948	4016	Hjolie32.exe	90
PID 4948 wrote to memory of 1828	4948	Haidfpki.exe	91
PID 4948 wrote to memory of 1828	4948	Haidfpki.exe	91
PID 4948 wrote to memory of 1828	4948	Haidfpki.exe	91
PID 1828 wrote to memory of 4724	1828	Hgcmbj32.exe	92
PID 1828 wrote to memory of 4724	1828	Hgcmbj32.exe	92
PID 1828 wrote to memory of 4724	1828	Hgcmbj32.exe	92
PID 4724 wrote to memory of 3968	4724	Hbiapb32.exe	93
PID 4724 wrote to memory of 3968	4724	Hbiapb32.exe	93
PID 4724 wrote to memory of 3968	4724	Hbiapb32.exe	93
PID 3968 wrote to memory of 860	3968	Hcjmhk32.exe	94
PID 3968 wrote to memory of 860	3968	Hcjmhk32.exe	94
PID 3968 wrote to memory of 860	3968	Hcjmhk32.exe	94
PID 860 wrote to memory of 4024	860	Hnpaec32.exe	95
PID 860 wrote to memory of 4024	860	Hnpaec32.exe	95
PID 860 wrote to memory of 4024	860	Hnpaec32.exe	95
PID 4024 wrote to memory of 1228	4024	Hcljmj32.exe	96
PID 4024 wrote to memory of 1228	4024	Hcljmj32.exe	96
PID 4024 wrote to memory of 1228	4024	Hcljmj32.exe	96
PID 1228 wrote to memory of 3952	1228	Hjfbjdnd.exe	97
PID 1228 wrote to memory of 3952	1228	Hjfbjdnd.exe	97
PID 1228 wrote to memory of 3952	1228	Hjfbjdnd.exe	97
PID 3952 wrote to memory of 2408	3952	Iapjgo32.exe	98
PID 3952 wrote to memory of 2408	3952	Iapjgo32.exe	98
PID 3952 wrote to memory of 2408	3952	Iapjgo32.exe	98
PID 2408 wrote to memory of 3624	2408	Igjbci32.exe	99
PID 2408 wrote to memory of 3624	2408	Igjbci32.exe	99
PID 2408 wrote to memory of 3624	2408	Igjbci32.exe	99
PID 3624 wrote to memory of 1188	3624	Indkpcdk.exe	100
PID 3624 wrote to memory of 1188	3624	Indkpcdk.exe	100
PID 3624 wrote to memory of 1188	3624	Indkpcdk.exe	100
PID 1188 wrote to memory of 4236	1188	Iabglnco.exe	101
PID 1188 wrote to memory of 4236	1188	Iabglnco.exe	101
PID 1188 wrote to memory of 4236	1188	Iabglnco.exe	101
PID 4236 wrote to memory of 3376	4236	Ijkled32.exe	102
PID 4236 wrote to memory of 3376	4236	Ijkled32.exe	102
PID 4236 wrote to memory of 3376	4236	Ijkled32.exe	102
PID 3376 wrote to memory of 2628	3376	Ieqpbm32.exe	103
PID 3376 wrote to memory of 2628	3376	Ieqpbm32.exe	103
PID 3376 wrote to memory of 2628	3376	Ieqpbm32.exe	103
PID 2628 wrote to memory of 1920	2628	Ilkhog32.exe	104
PID 2628 wrote to memory of 1920	2628	Ilkhog32.exe	104
PID 2628 wrote to memory of 1920	2628	Ilkhog32.exe	104
PID 1920 wrote to memory of 2972	1920	Iagqgn32.exe	105
PID 1920 wrote to memory of 2972	1920	Iagqgn32.exe	105
PID 1920 wrote to memory of 2972	1920	Iagqgn32.exe	105
PID 2972 wrote to memory of 3240	2972	Ijpepcfj.exe	106
PID 2972 wrote to memory of 3240	2972	Ijpepcfj.exe	106
PID 2972 wrote to memory of 3240	2972	Ijpepcfj.exe	106
PID 3240 wrote to memory of 3856	3240	Iajmmm32.exe	107
PID 3240 wrote to memory of 3856	3240	Iajmmm32.exe	107
PID 3240 wrote to memory of 3856	3240	Iajmmm32.exe	107
PID 3856 wrote to memory of 5080	3856	Iloajfml.exe	108
PID 3856 wrote to memory of 5080	3856	Iloajfml.exe	108
PID 3856 wrote to memory of 5080	3856	Iloajfml.exe	108
PID 5080 wrote to memory of 1084	5080	Jbijgp32.exe	109
PID 5080 wrote to memory of 1084	5080	Jbijgp32.exe	109
PID 5080 wrote to memory of 1084	5080	Jbijgp32.exe	109
PID 1084 wrote to memory of 2188	1084	Jlanpfkj.exe	110

C:\Users\Admin\AppData\Local\Temp\eb7cb3ad6c19fa47b5bab8b23ef8d042444b8efd77be1fc1508a50b6548a9035N.exe
"C:\Users\Admin\AppData\Local\Temp\eb7cb3ad6c19fa47b5bab8b23ef8d042444b8efd77be1fc1508a50b6548a9035N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\SysWOW64\Hjolie32.exe
  C:\Windows\system32\Hjolie32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\SysWOW64\Haidfpki.exe
    C:\Windows\system32\Haidfpki.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\SysWOW64\Hgcmbj32.exe
      C:\Windows\system32\Hgcmbj32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1828
    - - C:\Windows\SysWOW64\Hbiapb32.exe
        
        C:\Windows\system32\Hbiapb32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4724
      - C:\Windows\SysWOW64\Hcjmhk32.exe
        
        C:\Windows\system32\Hcjmhk32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Hnpaec32.exe
        
        C:\Windows\system32\Hnpaec32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Hcljmj32.exe
        
        C:\Windows\system32\Hcljmj32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Hjfbjdnd.exe
        
        C:\Windows\system32\Hjfbjdnd.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Igjbci32.exe
        
        C:\Windows\system32\Igjbci32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Indkpcdk.exe
        
        C:\Windows\system32\Indkpcdk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Ijkled32.exe
        
        C:\Windows\system32\Ijkled32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Iloajfml.exe
        
        C:\Windows\system32\Iloajfml.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Lefkkg32.exe
        
        C:\Windows\system32\Lefkkg32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Mlbpma32.exe
        
        C:\Windows\system32\Mlbpma32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Mepnaf32.exe
        
        C:\Windows\system32\Mepnaf32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3316
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        48⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Nbbnbemf.exe
        
        C:\Windows\system32\Nbbnbemf.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1444
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:800
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        74⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        75⤵
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2300
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        83⤵
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        95⤵
        
        PID:5592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=1012 /prefetch:8
1⤵
PID:5220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haidfpki.exe

Filesize
56KB

MD5
6531892dac59da7435e6f71b15408cb5

SHA1
6850cbd492040979ace8306e2e75221930e85ef8

SHA256
5dcc3758170555761e3f41706523a3516140f5225101d7d237a3959abcde6893

SHA512
5aa1ca9c9a3657e2682f5964d7e86b09993bcb4dda42c44e7282212edf83875efe7ad95a8e92f11a96bbdca825970428e43f720121cf0020a8cc04c648fed09d

Download Submit
C:\Windows\SysWOW64\Hbiapb32.exe

Filesize
56KB

MD5
99851b092eeb2197d770882166795e48

SHA1
b0adc3686aa1ea243196418c5ccc497b1e244ab9

SHA256
6cc106d09923db65107fc62ffd8599d49eed9c5db53229391d986a93fd0fe468

SHA512
79cb74695744e0eee84aa82136161457d60d0c6e0acaa65c686c13821439141b71dcfa16b66f823a7dcf13ec835ebb00f7efc95fc1a26a409f2c5cf5a07a8624

Download Submit
C:\Windows\SysWOW64\Hcjmhk32.exe

Filesize
56KB

MD5
f894c0d74cbec3bc83b0f6b3b4586c03

SHA1
46901b748004c24a170dc13865397f03b49421f1

SHA256
5dbedff103c609d7b1312ad955bbdc39756ac15a99c7b856d3e6ccedcbdfa9ba

SHA512
a8dc3cad08a3d99b6cc41e2f30875f1c971a811fc0b4f22464a8a68f302f1a5b5e3d7f41b6c09ee92f6ff52f0f779813f24fa194c4385146c70b5cbe5f1e444b

Download Submit
C:\Windows\SysWOW64\Hcljmj32.exe

Filesize
56KB

MD5
547f1bef4745f7f75db47ad76c8dd236

SHA1
ac80095c088cab9b2228099549a97a03e31c535f

SHA256
15c7373681d176523444de95b629bd62b186a5c410f6c10a36c1350dce7a1722

SHA512
d515327f051510f8baaf42ee5ca5d69d06126f2af19d64c9179177b0452a1d9e5dd749113789d21fb90caeb5dff1c2e2255a96f92f706ccd6bd780061c89fa3d

Download Submit
C:\Windows\SysWOW64\Hgcmbj32.exe

Filesize
56KB

MD5
c986ae0e9f2367e7dd3d7d6bde12840c

SHA1
ecaf9aad279247c2ad5ce7a45567a2dbeb8340aa

SHA256
7ba62284ffcbdca98956095fcbea0e9190d3afd69325378bc46f57663951f42f

SHA512
0436545862da06b9b9a870cff020b194aaa84f07c8207087a5778cb08ec6a20f96651aeb098913a13f52e0796e1ab3fbc23ca3a2eee7ac5f59d01fa86e687644

Download Submit
C:\Windows\SysWOW64\Hjfbjdnd.exe

Filesize
56KB

MD5
76fc27c6aed1d7a95428934b0b952dfc

SHA1
c8a1b007493f51c03a78901ccb1e5e0d3584d9d1

SHA256
c6755712c42f3d196e14c515f08377dd46ae455806c3b304f6c62ed9dcb229e4

SHA512
e43aa8ed7f8dadb6a2a7448d6c6d2937abfc25d013740f4ea0bcf161a09ad48c47dd06b80ed91a3186f86edee35b8a1691865a4b6045100d1f1f8ec9968e4392

Download Submit
C:\Windows\SysWOW64\Hjolie32.exe

Filesize
56KB

MD5
b4da59379a8fdc42b7f1c53022db918b

SHA1
dac3fe6b92cc5aa233f2dc58f80eb968de53bbc9

SHA256
a23d04eb06ebde0c9ceb83b269a89d48d19488b9b913094080e929fb96eb78d3

SHA512
ceda28711bd8b4b415641c9eef1131574e7e135e965faebf4beb24eb35c326cb24363691373d59fecdad4979e6c1fd074ed39ff519281a30eeee110931d0ef93

Download Submit
C:\Windows\SysWOW64\Hnpaec32.exe

Filesize
56KB

MD5
4a3b197590ccab5b3a195e57005d839f

SHA1
63b658a8fcdc05b93846245c8733f5e544542bab

SHA256
7e6510cdcae295e3b85744e18150b29f48d0b12c0cf05270690cae038b2d68d8

SHA512
f997026260c53772d1cc771c21c6089758c7200111a399e838405957312680679d4b1a8ebb66d76f148b1bec3a86e24addcdc277f794b58dd4250be533f49a10

Download Submit
C:\Windows\SysWOW64\Iabglnco.exe

Filesize
56KB

MD5
49f8115de3971141fe2edd26a4a8d64e

SHA1
650303761546a65c0ffb248d2d7b675bb1c454b6

SHA256
e6ab4e32ec234ad46b2461aa1b1820ab287c1e60e7e397bde7a8b6a561304174

SHA512
e9e7ad7ba8ce82cf107e8abea2d1eb77de05d8a4a1b24356de2e450b3878ba5b2e44ed683deba50780fb373ffcb83aea0e8f16999c2c752595079bbb9d612bdb

Download Submit
C:\Windows\SysWOW64\Iagqgn32.exe

Filesize
56KB

MD5
e892d3270ffa82ce2b877b3277e810bb

SHA1
6cc26ad19b62060799d294820b3c63fe0f4bdcd3

SHA256
42340dcf1d9f9fce511f8afe0b45efb11d3e8e1d05df8e414f2a2c18e59ddaad

SHA512
e60072c240ef31e311cb4ff0310d612655e54f4234f37ac67cbeef15f1e42652aeb9006ab92bd73552b81bcfa600f5c874585156cc3d40cd767ffaefcfcc4592

Download Submit
C:\Windows\SysWOW64\Iajmmm32.exe

Filesize
56KB

MD5
16ee8c1f665ba84688122b49b3f49585

SHA1
45c998b0c41597f093b985054764424b9dabe93c

SHA256
3ed0ffc07232c94f0c2eac7be6cc3c250cf592801b2e63ed85b7c0406dd62a5e

SHA512
c1e123d5460fd9a82e9269c61cbac5f7cb2e845683f76cd0a43f6634b4120cece519ec3eae8548f975e56a91d896abefcb59d113256a17155d3aec130aa292fe

Download Submit
C:\Windows\SysWOW64\Iapjgo32.exe

Filesize
56KB

MD5
8220c50bec352798ec707ae52954ded3

SHA1
b10672c1ec19569c9e0ecbc1ba17c9ba213c7bfe

SHA256
2a2053d563e4acd30e5b7b6aaaff92bd20d6d675246fd33f4a4843f49f4e3ac1

SHA512
f97e5e78c31101e0f57256a78cb5786dd47cb0e4bc172acc49af9b55b0a295d651f4a04fe82c5e912b85a81cefd3a718a20d870cfdd3595e6b795f98bfa91096

Download Submit
C:\Windows\SysWOW64\Ieqpbm32.exe

Filesize
56KB

MD5
245f57f5d167911ea6056625cccd0082

SHA1
fa476a9d7c78f32ea682ee669d09b6103f7b4aee

SHA256
f241ec232555bd1f4fe4da027c35cf26deb6439d6316f64b894e26534be2632c

SHA512
aa8ca04654b4db50237cef3491c39d1dc4e90806a6a541ff15e58223cfc7dfa7a338e3c2dd065f48974e7933909d0f40e823d59778819a3b7c6d0c2c20c6fdc1

Download Submit
C:\Windows\SysWOW64\Igjbci32.exe

Filesize
56KB

MD5
83cdf93a5dcaff065ce940044d419fb8

SHA1
bd6a78eebecd681a3764e7a9f0abcee990c8180e

SHA256
45b9b060c61ba67ca6f9fd6d7817952201ea0c6a4c2fb87eb8b8c68599d2b266

SHA512
134e2506b3f5c9f965d0bd7876776dd3088460a2d9d281b91ceeb980cfa74535c9373176e12cf7de1b6be58d2867ac223c517c73a1151353e66c5d6332787500

Download Submit
C:\Windows\SysWOW64\Ijkled32.exe

Filesize
56KB

MD5
004ca6f79ed65da85e1200b6a83f5133

SHA1
f218c90e92216492595845fb713c005fa7bec410

SHA256
88aed946bdee8f966d8addb9420004b4e66593a56c22f0b0da7f685d2ced7871

SHA512
8f6d56ba7765bfb944bda5920c92a66fb9afeb94f7ddb8c1db15a9b4df4c364af69f4f5aac57c4da287828b81da80f268d26c533461577973244b8df399ac848

Download Submit
C:\Windows\SysWOW64\Ijpepcfj.exe

Filesize
56KB

MD5
5275ec7435ee835a1745c8436d332f67

SHA1
30843d553f25b96cebbed6ceb7f49dd0e300f779

SHA256
4160537ba80082baba44f69b5c63eaf442effb37b4800c30c79b837bf3eb5f3a

SHA512
1961e084eabc9069316e455b792ea13ddf3d7e90b7491d7d4fa0ef460e971f57fb0346e3fb2ef829d46b4556928f953dcd1760707f5d53053330bf0ed564db47

Download Submit
C:\Windows\SysWOW64\Ilkhog32.exe

Filesize
56KB

MD5
480eea4076f9f5cbeb90cd1ea3b19fd4

SHA1
0dc0d7cbe0ca1e58a0422156d313dae643e3af50

SHA256
d29c132fc68d37dc7969a6203389801e469a7da3f33a72cfbf96858c9483315c

SHA512
47c2ac4e42f079b497cf8415df2dd8242468bd85db4a6ccc9ea0ce3b6c0367aad60a13e5e94804eef070867b5ae230b189c77757ad8989d496c769bec2eec657

Download Submit
C:\Windows\SysWOW64\Iloajfml.exe

Filesize
56KB

MD5
589db63634fb946cfc52da9a9ae4d6d4

SHA1
f88de3d402b5b2b7192ca80f48677703fc681304

SHA256
bfd0d33ba01c5bba95be28952184d2e66932a01f9294be8c8ae05b3c220d814d

SHA512
5e37246340b39f00b557ac0d29217ca52964976ae7de2dffe9929616da9c1c1af0c341b9485fde8f452e2aafaf33de8742f1e58d78b36664fa937c273fc15a39

Download Submit
C:\Windows\SysWOW64\Indkpcdk.exe

Filesize
56KB

MD5
bb7d31bfc04a961be73d7de934f73334

SHA1
3f9325c69dd3d363593865e1bb0d36fdbfc1f6cf

SHA256
83eea4e3c0aae38232811d29f1e48500e1de25d697f4f4865cdf851517234ec6

SHA512
d79a7866dd70c65281a24eb6d79ac912216ef9f9c20c42ee85605b176ea0dae4fbc58847ed73d979482f414fb068c9783a9fd4b82db89d10b31cd48ea22592d2

Download Submit
C:\Windows\SysWOW64\Jacpcl32.exe

Filesize
56KB

MD5
4cd28f911f68f3e77730ded9103c96d8

SHA1
8675bcdeb093a4e0ed63d4d46a727c6366feb765

SHA256
86f6fe406f243b9d40ef3b673d969c5009daf888f96faf3f69ec50a088cb3709

SHA512
98481f1302ae1fafe8db75668f42fb96794730935dc29958ac1ada7aed198f1d2929bbba22fc596e00774d26e48a6aeedee227010e7e9f1950b89edd5130fd25

Download Submit
C:\Windows\SysWOW64\Janghmia.exe

Filesize
56KB

MD5
a33feb8a7d3f3d906a80ce2d02c47e5d

SHA1
ae51a43448b91b3a3b09f2cdd451a7ed0ec02879

SHA256
ab49dc3de348e2292ba2066fa8a384671fe732f5af9c8791b8bb5f5d429c88d3

SHA512
f4601f1e9a25527b209a54b9f8d304d8c9d2e721ea03cec3f4bf371d2f2f8696cdc49ada10fd41af9b0a2580f213fcee5076eb239ebe9484c755d46d74556bd5

Download Submit
C:\Windows\SysWOW64\Jbijgp32.exe

Filesize
56KB

MD5
c8bcf13873d6f6b1c06b450d8aa2f0d3

SHA1
789383add1f7ab84d02ca723e84cf5a3acfefeda

SHA256
64873743047ec519350019ee641a06c7a02b3023c4f91f88f52d6354c832d27f

SHA512
782aca92d910e811f0a20c7399f263078e45f9532be72c109463d212450b4a96098ddc6e7eecc1984a3c61533cc9f6f8ef9f2068055f1789962e604cb0d6179d

Download Submit
C:\Windows\SysWOW64\Jblflp32.exe

Filesize
56KB

MD5
c3eb0f7cbbaebbd325cb0c47040e5f49

SHA1
8c3d800ba63bc7ad5e02351ea76165d4d121d920

SHA256
93fa2ef482f3e12723205c0b1db8da52e4a309331f685657818a26fab012e1ed

SHA512
b07b8a3f6cc99e7a324992366876088dd0ea2bf7900e9f1fd056bc3cf87035662157b70516928d406c07e9aeddaff0055f357d3272d70d2caa1b9b288e7dcc01

Download Submit
C:\Windows\SysWOW64\Jbncbpqd.exe

Filesize
56KB

MD5
04e1642edf1e3a5c7b38a4d812d17d01

SHA1
5ad1dfbba8ee082a3c57e1c12988971b1916386e

SHA256
05552e13da997d7a8faf7ba0fc4433e51a7b60992cadee3f64c0d3cca1c0e441

SHA512
c0b7f3afcc435b6e608cdd9b2cd91cb2e9db544e16b02b081413527e4a36c55beceaf9529fc6a9e92083ca6467d9e9cfcf00e5ae2a407d31101c07297b01014b

Download Submit
C:\Windows\SysWOW64\Jdalog32.exe

Filesize
56KB

MD5
a68c153973e2e8f2378d863e8588f667

SHA1
b2ab582d3ddeb82ee12860df4447022b80eeade4

SHA256
4386501cc860ca4978fa3399fdb67ea8c477b20c791d0fbbbe075304921eb102

SHA512
23e6acf251a795767cf078b701e15206d802dbf9440bef04a945a87b3b4005d8478e0dfd9c83b2326a4aa7604d04663c5b61b6906e12f169bff42c7b048743a4

Download Submit
C:\Windows\SysWOW64\Jdopjh32.exe

Filesize
56KB

MD5
5dfa83431fc606add315bf7531cc7c8d

SHA1
d190b9fb5a82d12f15fdbf8159319ac380036ee0

SHA256
714e2c2862bada35150681902d29b28c5a4ed8ad5d80ccc2e4ca4fbc73ecf456

SHA512
1107d1e9415490d3da56d6589a15ad2d906e51315abfdf2b0fa15e4430b5622b55cdfcdfab85786b2f627a7cdfbc43a43bb7d9499fe7c4e84ba4619c67be514e

Download Submit
C:\Windows\SysWOW64\Jlanpfkj.exe

Filesize
56KB

MD5
384ef109c49a61b583119a19fdc04ea2

SHA1
1eb891a0889c329d09880cb461ced62dd7d93b1a

SHA256
95e0ee9230f06817b440980df1ebb294b5d4524276b2f890baf787fbb254d348

SHA512
a4e959257bd83552239269e82e793887e062766dde9ed2a284c0b872ddb2c9f365951bb88c1bb8ff6fcd43c81b03052d7c23c755c50c9c2a98df284bd828c2a1

Download Submit
C:\Windows\SysWOW64\Jlidpe32.exe

Filesize
56KB

MD5
22543c6be8f7cc30ea76582ee7bf64e6

SHA1
cb050e3dbfa897fe17a0617bb44bf6937a91010d

SHA256
8ccc4cdb6366a263ed5ffeacfaf39836ce63cbb9d287597d4950160cd8125dd4

SHA512
edbcfeb9c61252b430fa72d20cfd9c0fcdb96e6f161582343bb828a743fed3e0e2e91df6956d52a7836795402d84aa0fe278b095b8a8ee560e796ab8ea17784b

Download Submit
C:\Windows\SysWOW64\Jnedgq32.exe

Filesize
56KB

MD5
db32d6cfb755c79a76e04c851dbf28ad

SHA1
0cc4e1a4a62a0dfd54712bbdac3c4401af37599f

SHA256
39a38b3e86eead66940667b7f5479786c655c5c9b9fb1cb53f883e8332bff11d

SHA512
2d51bbb4c6746b470499f70443000cb1621371c45b48c2299edd5b197f9953554cdc47061ae40b5297d9bf961e4df1f56449e3960fd959cc65b5ef2f7ee84cfe

Download Submit
C:\Windows\SysWOW64\Kbeibo32.exe

Filesize
56KB

MD5
e94edb3d8f0806162893989f09fd081e

SHA1
d7c0422b59d93269337ca64b12bbb4f2a6376cef

SHA256
b92f67aa2c1ebe43a56dbde75d2e8dec6991466d0a5f8256840c73469b81a6f1

SHA512
d56672c5375dc65e78c0b91c854df0803522ec9c11ff12542ebc243fc45ea0b24800ed22bbd58d56364d511d30a09f6fac735b57063c1a37a3bf5dfa5b7ce89e

Download Submit
C:\Windows\SysWOW64\Kdpiqehp.exe

Filesize
56KB

MD5
cc8d3e879b27ab1818b2bb304594c56d

SHA1
a2de7d246dc91c5ff9f157bfd1c42a405aa7643b

SHA256
08702ae6647c21b511006e18f32e77c74b9748febe9f4fa2184682281f0a5362

SHA512
b053f52e500bc2192e29d4112edc991b10e6c0fcf3b706363d63d2f1ba3a7aaff4a53570810b367091ab45c036f1fba2729b1024d8d9e36bc5d82688d9a8a388

Download Submit
C:\Windows\SysWOW64\Kehojiej.exe

Filesize
56KB

MD5
c9ed1510fae622d15b6a05735443c6ad

SHA1
de1449e0ed9c781c9c12ac14d9c34f87632e2b22

SHA256
b655cfee1ab90f991d2546c215acef85884b61cbdb60d98c6c064fef580f8788

SHA512
43383da5d5bed6173da6b1df23706dea63f4fda54c04252136e899dcb8f0aa12d07a9120869cc1ea599c6d59c64fc4ad17ccbfa5fa9c7f8757ba742636861f8b

Download Submit
C:\Windows\SysWOW64\Koljgppp.exe

Filesize
56KB

MD5
244e673ff47ea3d7a0d184e4c6a4c725

SHA1
2d6534b2b6f6693d9e3c20f1286816e45bf91c17

SHA256
cbff43eed685c1d7162d33431d7b40d11e89497c6c2abde289c8631c76d08bdd

SHA512
57078c5774fcfef8a7840c28eac31ba99cc5ed46a566e2d3d3a4ddf4a7f6fa524b4a72aab0324360b067c74b92457cd281d52aa3113360ca3597d47d25d0d9c0

Download Submit
C:\Windows\SysWOW64\Mddkbbfg.exe

Filesize
56KB

MD5
002c9beb1ac6422789c690548c5b233b

SHA1
1869b8081ca1007216eff0b9c4369349773b921a

SHA256
1263111a0307b7f4aab039bc621e74a0c3d66858f47559ec01eb83198f3be363

SHA512
0dad5b482a56975c46cc94b328a3dede96fe474f75108b8f88f4fb32e9fabe98a43bdb2f1e621e18633f3d02e7ed116d9a2bbd998391c920b81a467c46f749aa

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
56KB

MD5
c464e4aa48b1fc5590469d76c600ca34

SHA1
09b604d9677e0a799d8b8ce307d7ad3cd9d087ba

SHA256
5449b53716d275dbd01bcf634623165d3b07bd55e096d84fcb7a1156e72414e1

SHA512
b572cedf2aed0dc6d8c88f8d2761a4d888c98eb8963384daa988ec51dd349a1b2814cdc9538f0dd50e60c7a08f4b356443fc7076c759e96d3c870206e07d0477

Download Submit
C:\Windows\SysWOW64\Nlgbon32.exe

Filesize
56KB

MD5
881c4fc5e23f222e3fd8745ef42106db

SHA1
d32d1b0000d30eaddd94bca37dba8f7cb8d70b5b

SHA256
be305543466ca322b1582530b99aea4888921170b86fce6702875338904d8c8a

SHA512
9e72e574a10dfe2223a107933d268c97cafcdbbb7e6c3a52a35f87832ef724cef8d1316477f1d555aba91a3f70d13f7eaf62dc8930e169b720f7eb4188119d62

Download Submit
C:\Windows\SysWOW64\Nooikj32.exe

Filesize
56KB

MD5
3971316cb9237994b98914b67aceb912

SHA1
02616ec439e795a1751960d5455b78357ae38f61

SHA256
521b9137206da2ec97f2093c61c8b153eb5284c53e44d2e9df7770fedd5222d1

SHA512
144d8eb7fd002f7347cbdafd52cca607edd1514bb978090cae603cfccfbe19805c4d87eb8dfd2bbe66541f1e26ec6e7588eb0cb6ef7e05f1b9ae6556536c42c8

Download Submit
C:\Windows\SysWOW64\Obfhmd32.exe

Filesize
56KB

MD5
db0b8d6475e93a5a7caba4525bb828df

SHA1
6ddd259ba718e296a08a6e4e84d100e2b6eeb67c

SHA256
c33ef71843f06c6f73e6a33aa4dab96d4a73a4debac58049e1426d2ac32dd5e9

SHA512
cf956584c4ab4d76c960396c8921e85850a5cd529ea80606a294474cecd6b46490bbb867958fc49a18b52af6e93b41c93c22aa4d16f5cb49bc286dce73585bfb

Download Submit
C:\Windows\SysWOW64\Ofijnbkb.exe

Filesize
56KB

MD5
ce8edff83a9e427a8c783fae2e264316

SHA1
0d812a115a74838f3698107f0d4da363eee14376

SHA256
f8bb45322a11f7cd0a9107286799361dd0afe033ca74931524b69411ff156864

SHA512
29fc6fbde72bfd5ad33982763e67ae8534342cfd711bdb782e127ae96417395cd565dbbc14ad040115d5d49b896f54b9e50a6737d694cdb47310fc21f262d36b

Download Submit
C:\Windows\SysWOW64\Okailj32.exe

Filesize
56KB

MD5
a33ba33465b670e020d66e2bc40993c1

SHA1
771c40d3e80a3a7900273b8477c9e49823addc3c

SHA256
9e1c356b15760e53c562338a65df0e274b5eceb3894f57c467f633186446fb76

SHA512
3615a805077f2d0626a0578f345dd1b552b996eebdc07dc51e5903c1d1731492c1dcbe77857a1e9cd4bcfa28e2cd9691dfa86ab0925304a0118eccf2618e4136

Download Submit
C:\Windows\SysWOW64\Pdngpo32.exe

Filesize
56KB

MD5
be0a4b090bec51f5d0b711b6a59e631f

SHA1
f294ae72341522f8508c2647fb4cff166a8b8172

SHA256
09f039598186d7bbbc14a6e68a51eab2fd69b7b8bfef6a0c14f7b5da24c1c2f7

SHA512
63ed2ac3d76caab6e336a21e456ffe20448b04c999d03d3631dc8fd8ee61a511cdc560788f256fdb17332651fa9adf59203a4cbf9779f5df0dcd35e0e0969442

Download Submit
C:\Windows\SysWOW64\Pfppoa32.exe

Filesize
56KB

MD5
dee1420c14fc50766727a42b6d4b0593

SHA1
1ff75eb011e31f6b9b84c902ce03feee1e918fb2

SHA256
90813bb2dd6271203a5bdf4cbf62f74dd8c40fced1515a3c11968fceedb533e2

SHA512
7a1facfac6c3aa9407b0ec517c7df5dded29f3bb95d3f9ee5cebeaccd27694b689c77e6aeb9ce15614d924f100fe3077e79b194780b1b41f0ca82f4d4eae33a7

Download Submit
C:\Windows\SysWOW64\Pmmeak32.exe

Filesize
56KB

MD5
7f32ec01f753cfd792505479efb3194b

SHA1
1074efdffaf41032288b278758712878cf3be8df

SHA256
72ff1a7e827e0cfa3ab38b6dd59c0f6e0aa46c01e2291b510684321aa23363c8

SHA512
c4f5590fc2b8fc8140a31c3b7c8852a6f68e44385391d41c057cc18b5f5000951a4dfac6d1e7ced598cbdb95d28f1fa43715f0f908144176aaa547522e775d1a

Download Submit
C:\Windows\SysWOW64\Podkmgop.exe

Filesize
56KB

MD5
4fe61172168b5aced878d690d957a299

SHA1
f2c11f633e4ae4484e0dae6cdd3f2297360341a6

SHA256
041b109b7239584bfb6bea0b2406f2d82d06121e9e9512e5fd085969e070fb8d

SHA512
8aa15fb64cf043273d1b26647367bc15461abbed6f60eb8ced84b6c88a4b06c72f4eb650f85868f11ffb7afbe37bd9b8d72e40df63c866fbce5c22e0b896070e

Download Submit
C:\Windows\SysWOW64\Qppkhfec.exe

Filesize
56KB

MD5
0d0cb7b56da38a153438c4869bb934e8

SHA1
51650b43eb8461f708807ece15a76c1b3715b9a3

SHA256
51a23f7e4008122aa697528824d4896514c9befc0bfe2f86a6465a02da9c15e2

SHA512
beb917c631082e4e04bcbaebaf58da152d8a9fe19c5f767d7559f18c0e854e3509bd73e4898faaf5a6e7e2c9e3d058806e58ac75c3b0b5c1351364a039179efa

Download Submit
memory/860-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3316-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-118-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3760-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3760-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3856-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3856-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4108-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4108-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4108-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4140-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4520-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4520-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4800-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4800-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads