241d5e932144d6bf59010cad15af1524ea22da9152d3ab6f1639a8d47be28000

Analysis

max time kernel
129s
max time network
173s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10/02/2025, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2023.11.29/0491a5abd0712b38f24778e1346c0811.exe
Size

143KB
MD5

0491a5abd0712b38f24778e1346c0811
SHA1

c52c80e2ca8e1cb603ebfadc19fa072aa5c61b9e
SHA256

25d1d88ba68e18711498409e521fd2c13dffce179f36ae8734fea5651048d47e
SHA512

48954abdb1ea32d36286bff19147c4c2a023dc84be8851504ce1fa6bf9c0894b2cd2b256a0f6f2a1c26c8c780d6168e3c7d3230c076b6a11ea67b6ed840dc768
SSDEEP

3072:9XTN8IiypgTJJZIjelpxNgmFO1gdd8jH:9XTGIiPFJZBFNtF0b

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibain32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikoopij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mapppn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abfdpfaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laiipofp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljbnfleo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmojd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmcpoedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Noblkqca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmojd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooibkpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iogopi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llcghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmkofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qikbaaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlgoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lancko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lebijnak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0491a5abd0712b38f24778e1346c0811.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geoapenf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joqafgni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kabcopmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apnndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kedlip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojqcnhkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbala32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Binhnomg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbccge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhldbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abfdpfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apnndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Objkmkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Geoapenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibgdlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeocna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpgmhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Piapkbeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Joqafgni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aimogakj.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
12	1188	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
1636	Gihpkd32.exe
3128	Geoapenf.exe
1412	Gpdennml.exe
2224	Hecjke32.exe
4100	Hemmac32.exe
4888	Ilfennic.exe
5068	Iijfhbhl.exe
3412	Iogopi32.exe
1140	Ieagmcmq.exe
3116	Ipgkjlmg.exe
4252	Ieccbbkn.exe
880	Ibgdlg32.exe
948	Ipkdek32.exe
1984	Iehmmb32.exe
396	Joqafgni.exe
1268	Jhifomdj.exe
2404	Jbojlfdp.exe
2884	Jlgoek32.exe
1504	Jeocna32.exe
3212	Jikoopij.exe
1052	Jbccge32.exe
3320	Jpgdai32.exe
1688	Kedlip32.exe
4884	Klndfj32.exe
3080	Kefiopki.exe
2324	Kcjjhdjb.exe
1264	Klbnajqc.exe
852	Kapfiqoj.exe
5004	Klekfinp.exe
3812	Kabcopmg.exe
2020	Kpccmhdg.exe
1672	Lepleocn.exe
4460	Lpepbgbd.exe
240	Lebijnak.exe
680	Lpgmhg32.exe
4032	Laiipofp.exe
460	Llnnmhfe.exe
116	Ljbnfleo.exe
4432	Lplfcf32.exe
1080	Lancko32.exe
2496	Llcghg32.exe
4660	Mapppn32.exe
4912	Mjggal32.exe
2468	Mpapnfhg.exe
1620	Mablfnne.exe
2704	Mhldbh32.exe
456	Mbdiknlb.exe
2740	Mhoahh32.exe
2416	Mbgeqmjp.exe
4508	Mlljnf32.exe
2652	Mfenglqf.exe
1032	Mlofcf32.exe
788	Nblolm32.exe
2692	Njbgmjgl.exe
1684	Nqmojd32.exe
2388	Nckkfp32.exe
440	Nfihbk32.exe
4576	Nmcpoedn.exe
4568	Noblkqca.exe
3336	Njgqhicg.exe
4904	Nmfmde32.exe
3956	Ncpeaoih.exe
4000	Njjmni32.exe
2124	Nqcejcha.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nkphhg32.dll	Geoapenf.exe
File opened for modification	C:\Windows\SysWOW64\Mbgeqmjp.exe	Mhoahh32.exe
File created	C:\Windows\SysWOW64\Balgcpkn.dll	Oqklkbbi.exe
File created	C:\Windows\SysWOW64\Dgbanq32.exe	Dphiaffa.exe
File opened for modification	C:\Windows\SysWOW64\Ocihgnam.exe	Oqklkbbi.exe
File opened for modification	C:\Windows\SysWOW64\Piapkbeg.exe	Pfccogfc.exe
File opened for modification	C:\Windows\SysWOW64\Qapnmopa.exe	Qjffpe32.exe
File created	C:\Windows\SysWOW64\Ockdmmoj.exe	Oqmhqapg.exe
File opened for modification	C:\Windows\SysWOW64\Obqanjdb.exe	Ocnabm32.exe
File created	C:\Windows\SysWOW64\Oikjkc32.exe	Obqanjdb.exe
File created	C:\Windows\SysWOW64\Ibgdlg32.exe	Ieccbbkn.exe
File created	C:\Windows\SysWOW64\Llnnmhfe.exe	Laiipofp.exe
File opened for modification	C:\Windows\SysWOW64\Nmjfodne.exe	Nfqnbjfi.exe
File created	C:\Windows\SysWOW64\Dgpeha32.exe	Cacmpj32.exe
File opened for modification	C:\Windows\SysWOW64\Pfepdg32.exe	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Hlkbkddd.dll	Pidlqb32.exe
File created	C:\Windows\SysWOW64\Ofckhj32.exe	Ooibkpmi.exe
File created	C:\Windows\SysWOW64\Lhnoigkk.dll	Obqanjdb.exe
File opened for modification	C:\Windows\SysWOW64\Pcegclgp.exe	Pmkofa32.exe
File opened for modification	C:\Windows\SysWOW64\Abjmkf32.exe	Amnebo32.exe
File created	C:\Windows\SysWOW64\Laiipofp.exe	Lpgmhg32.exe
File created	C:\Windows\SysWOW64\Ghaeocdd.dll	Ookoaokf.exe
File opened for modification	C:\Windows\SysWOW64\Qclmck32.exe	Pmbegqjk.exe
File created	C:\Windows\SysWOW64\Iijfhbhl.exe	Ilfennic.exe
File created	C:\Windows\SysWOW64\Jhifomdj.exe	Joqafgni.exe
File created	C:\Windows\SysWOW64\Kabcopmg.exe	Klekfinp.exe
File opened for modification	C:\Windows\SysWOW64\Cmedjl32.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Laiimcij.dll	Llcghg32.exe
File created	C:\Windows\SysWOW64\Oajgdm32.dll	Pjlcjf32.exe
File created	C:\Windows\SysWOW64\Ckbncapd.exe	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Ljbnfleo.exe	Lchfib32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbkml32.exe	Pmhbqbae.exe
File created	C:\Windows\SysWOW64\Engdno32.dll	Amnebo32.exe
File created	C:\Windows\SysWOW64\Cacmpj32.exe	Cildom32.exe
File opened for modification	C:\Windows\SysWOW64\Ipkdek32.exe	Ibgdlg32.exe
File created	C:\Windows\SysWOW64\Mpagaf32.dll	Piapkbeg.exe
File opened for modification	C:\Windows\SysWOW64\Gihpkd32.exe	0491a5abd0712b38f24778e1346c0811.exe
File created	C:\Windows\SysWOW64\Mnfgko32.dll	Lepleocn.exe
File opened for modification	C:\Windows\SysWOW64\Ccppmc32.exe	Cancekeo.exe
File created	C:\Windows\SysWOW64\Onnnbnbp.dll	Pmkofa32.exe
File created	C:\Windows\SysWOW64\Gbhibfek.dll	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Mneoha32.dll	Jbccge32.exe
File created	C:\Windows\SysWOW64\Kcjjhdjb.exe	Kefiopki.exe
File created	C:\Windows\SysWOW64\Emlmcm32.dll	Lpgmhg32.exe
File created	C:\Windows\SysWOW64\Nmfmde32.exe	Njgqhicg.exe
File created	C:\Windows\SysWOW64\Bboffejp.exe	Bmbnnn32.exe
File created	C:\Windows\SysWOW64\Jpgdai32.exe	Jbccge32.exe
File created	C:\Windows\SysWOW64\Ncbafoge.exe	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Hpkdfd32.dll	Oikjkc32.exe
File opened for modification	C:\Windows\SysWOW64\Ckbncapd.exe	Cbkfbcpb.exe
File opened for modification	C:\Windows\SysWOW64\Dgbanq32.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Pjmnkgfc.dll	Iogopi32.exe
File created	C:\Windows\SysWOW64\Hpfohk32.dll	Njjmni32.exe
File created	C:\Windows\SysWOW64\Odibfg32.dll	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Piapkbeg.exe	Pfccogfc.exe
File created	C:\Windows\SysWOW64\Pnbmhkia.dll	Apnndj32.exe
File created	C:\Windows\SysWOW64\Ckdkhq32.exe	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Kafkmp32.dll	Jbojlfdp.exe
File created	C:\Windows\SysWOW64\Eeeaodnk.dll	Laiipofp.exe
File created	C:\Windows\SysWOW64\Mfenglqf.exe	Mlljnf32.exe
File created	C:\Windows\SysWOW64\Kqkplq32.dll	Pbcncibp.exe
File opened for modification	C:\Windows\SysWOW64\Qikbaaml.exe	Qapnmopa.exe
File created	C:\Windows\SysWOW64\Fdakcc32.dll	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Iehmmb32.exe	Ipkdek32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5308	5708	WerFault.exe	236

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjmni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiagde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babcil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccblbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Geoapenf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbccge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepleocn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpapnfhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfihbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paihlpfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajjjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iehmmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeocna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kapfiqoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njbgmjgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cancekeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipgkjlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedlip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llnnmhfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lchfib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piapkbeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aagdnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Objkmkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkofa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockdmmoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calfpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpdennml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laiipofp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhoahh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapgdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacmpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hecjke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhldbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apnndj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oikjkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbala32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfccogfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccppmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilfennic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieccbbkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfqnbjfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibgdlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Binhnomg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cildom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookoaokf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmbegqjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpccmhdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noblkqca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njgqhicg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bboffejp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcmkgmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagmdllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gihpkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikoopij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lancko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbkml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kabcopmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebijnak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhbqbae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnabm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimogakj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphnbpql.dll"	Klekfinp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghklqmm.dll"	Kabcopmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qidpon32.dll"	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdocph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbhildae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjlcjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkqqe32.dll"	Jhifomdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngmnjok.dll"	Qjffpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbojlfdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kedlip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lancko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pbcncibp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Podbibma.dll"	Bjfogbjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebkgjkg.dll"	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmpaf32.dll"	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkdfd32.dll"	Oikjkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bipecnkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnknop32.dll"	Jlgoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkehj32.dll"	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcgahca.dll"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipkdek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biepfnpi.dll"	Ieccbbkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmalg32.dll"	Qikbaaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mneoha32.dll"	Jbccge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onogcg32.dll"	Kapfiqoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpgmhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaokcqj.dll"	Mablfnne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcegclgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfolacnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kabcopmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnokmj32.dll"	Mlofcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qapnmopa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqgeihg.dll"	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	0491a5abd0712b38f24778e1346c0811.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklliiom.dll"	Ipgkjlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kafkmp32.dll"	Jbojlfdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jikoopij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mbgeqmjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mfenglqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oikjkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gihpkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlmcm32.dll"	Lpgmhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfepdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmjmekgn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 1636	4652	0491a5abd0712b38f24778e1346c0811.exe	85
PID 4652 wrote to memory of 1636	4652	0491a5abd0712b38f24778e1346c0811.exe	85
PID 4652 wrote to memory of 1636	4652	0491a5abd0712b38f24778e1346c0811.exe	85
PID 1636 wrote to memory of 3128	1636	Gihpkd32.exe	86
PID 1636 wrote to memory of 3128	1636	Gihpkd32.exe	86
PID 1636 wrote to memory of 3128	1636	Gihpkd32.exe	86
PID 3128 wrote to memory of 1412	3128	Geoapenf.exe	87
PID 3128 wrote to memory of 1412	3128	Geoapenf.exe	87
PID 3128 wrote to memory of 1412	3128	Geoapenf.exe	87
PID 1412 wrote to memory of 2224	1412	Gpdennml.exe	88
PID 1412 wrote to memory of 2224	1412	Gpdennml.exe	88
PID 1412 wrote to memory of 2224	1412	Gpdennml.exe	88
PID 2224 wrote to memory of 4100	2224	Hecjke32.exe	89
PID 2224 wrote to memory of 4100	2224	Hecjke32.exe	89
PID 2224 wrote to memory of 4100	2224	Hecjke32.exe	89
PID 4100 wrote to memory of 4888	4100	Hemmac32.exe	90
PID 4100 wrote to memory of 4888	4100	Hemmac32.exe	90
PID 4100 wrote to memory of 4888	4100	Hemmac32.exe	90
PID 4888 wrote to memory of 5068	4888	Ilfennic.exe	91
PID 4888 wrote to memory of 5068	4888	Ilfennic.exe	91
PID 4888 wrote to memory of 5068	4888	Ilfennic.exe	91
PID 5068 wrote to memory of 3412	5068	Iijfhbhl.exe	92
PID 5068 wrote to memory of 3412	5068	Iijfhbhl.exe	92
PID 5068 wrote to memory of 3412	5068	Iijfhbhl.exe	92
PID 3412 wrote to memory of 1140	3412	Iogopi32.exe	93
PID 3412 wrote to memory of 1140	3412	Iogopi32.exe	93
PID 3412 wrote to memory of 1140	3412	Iogopi32.exe	93
PID 1140 wrote to memory of 3116	1140	Ieagmcmq.exe	94
PID 1140 wrote to memory of 3116	1140	Ieagmcmq.exe	94
PID 1140 wrote to memory of 3116	1140	Ieagmcmq.exe	94
PID 3116 wrote to memory of 4252	3116	Ipgkjlmg.exe	95
PID 3116 wrote to memory of 4252	3116	Ipgkjlmg.exe	95
PID 3116 wrote to memory of 4252	3116	Ipgkjlmg.exe	95
PID 4252 wrote to memory of 880	4252	Ieccbbkn.exe	96
PID 4252 wrote to memory of 880	4252	Ieccbbkn.exe	96
PID 4252 wrote to memory of 880	4252	Ieccbbkn.exe	96
PID 880 wrote to memory of 948	880	Ibgdlg32.exe	97
PID 880 wrote to memory of 948	880	Ibgdlg32.exe	97
PID 880 wrote to memory of 948	880	Ibgdlg32.exe	97
PID 948 wrote to memory of 1984	948	Ipkdek32.exe	98
PID 948 wrote to memory of 1984	948	Ipkdek32.exe	98
PID 948 wrote to memory of 1984	948	Ipkdek32.exe	98
PID 1984 wrote to memory of 396	1984	Iehmmb32.exe	99
PID 1984 wrote to memory of 396	1984	Iehmmb32.exe	99
PID 1984 wrote to memory of 396	1984	Iehmmb32.exe	99
PID 396 wrote to memory of 1268	396	Joqafgni.exe	100
PID 396 wrote to memory of 1268	396	Joqafgni.exe	100
PID 396 wrote to memory of 1268	396	Joqafgni.exe	100
PID 1268 wrote to memory of 2404	1268	Jhifomdj.exe	101
PID 1268 wrote to memory of 2404	1268	Jhifomdj.exe	101
PID 1268 wrote to memory of 2404	1268	Jhifomdj.exe	101
PID 2404 wrote to memory of 2884	2404	Jbojlfdp.exe	102
PID 2404 wrote to memory of 2884	2404	Jbojlfdp.exe	102
PID 2404 wrote to memory of 2884	2404	Jbojlfdp.exe	102
PID 2884 wrote to memory of 1504	2884	Jlgoek32.exe	103
PID 2884 wrote to memory of 1504	2884	Jlgoek32.exe	103
PID 2884 wrote to memory of 1504	2884	Jlgoek32.exe	103
PID 1504 wrote to memory of 3212	1504	Jeocna32.exe	104
PID 1504 wrote to memory of 3212	1504	Jeocna32.exe	104
PID 1504 wrote to memory of 3212	1504	Jeocna32.exe	104
PID 3212 wrote to memory of 1052	3212	Jikoopij.exe	105
PID 3212 wrote to memory of 1052	3212	Jikoopij.exe	105
PID 3212 wrote to memory of 1052	3212	Jikoopij.exe	105
PID 1052 wrote to memory of 3320	1052	Jbccge32.exe	106

C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\0491a5abd0712b38f24778e1346c0811.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\0491a5abd0712b38f24778e1346c0811.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\SysWOW64\Gihpkd32.exe
  C:\Windows\system32\Gihpkd32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\Geoapenf.exe
    C:\Windows\system32\Geoapenf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Windows\SysWOW64\Gpdennml.exe
      C:\Windows\system32\Gpdennml.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Windows\SysWOW64\Hecjke32.exe
        
        C:\Windows\system32\Hecjke32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2224
      - C:\Windows\SysWOW64\Hemmac32.exe
        
        C:\Windows\system32\Hemmac32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Ieagmcmq.exe
        
        C:\Windows\system32\Ieagmcmq.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Jbojlfdp.exe
        
        C:\Windows\system32\Jbojlfdp.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        23⤵
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\SysWOW64\Kedlip32.exe
        
        C:\Windows\system32\Kedlip32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        25⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Kefiopki.exe
        
        C:\Windows\system32\Kefiopki.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        27⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\Klbnajqc.exe
        
        C:\Windows\system32\Klbnajqc.exe
        28⤵
        Executes dropped EXE
        
        PID:1264
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:240
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:460
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        41⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Lancko32.exe
        
        C:\Windows\system32\Lancko32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4508
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:788
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1684
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        58⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        67⤵
        
        PID:192
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        69⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\Ooibkpmi.exe
        
        C:\Windows\system32\Ooibkpmi.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4172
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        76⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        77⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        78⤵
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        79⤵
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3416
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4464
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        84⤵
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        88⤵
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        93⤵
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:268
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        99⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        100⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        101⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5300
        
        C:\Windows\SysWOW64\Qclmck32.exe
        
        C:\Windows\system32\Qclmck32.exe
        103⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Qjffpe32.exe
        
        C:\Windows\system32\Qjffpe32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        107⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        108⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        112⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        114⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        115⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        118⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Bboffejp.exe
        
        C:\Windows\system32\Bboffejp.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        123⤵
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Bjhkmbho.exe
        
        C:\Windows\system32\Bjhkmbho.exe
        126⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        128⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        129⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        131⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        132⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        133⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        134⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        136⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        137⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        138⤵
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        140⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        141⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        142⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        145⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        147⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        149⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        150⤵
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        152⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        153⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 448
        154⤵
        Program crash
        
        PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5708 -ip 5708
1⤵
PID:6104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddlnnc32.dll

Filesize
7KB

MD5
69ee7a215c76cec17d3ee66c79a47ebb

SHA1
2ad092ff4414d9c02f93e484524bf0bd5ca91dbc

SHA256
ad8f6d987d768980c35543e63c98af3dedc9b7ac8d24d030c6090fc470c37b7f

SHA512
ab0836ed4e484ed15f4f2c5e55431e963b00e07bbad9469ca5b023fa005fc26c0000bff041e592ab065d50226d63335cd8749772a10e968929a137a7c3e3381e

Download Submit
C:\Windows\SysWOW64\Geoapenf.exe

Filesize
143KB

MD5
205e42fd625c7b7f1e4c7313f15027df

SHA1
015ccbe8e0fc0245217170d9702cd1608ccc8a20

SHA256
c115059fd986b78aea9c8b7d25a848a31e074f6cce8355e9cfeb841d93af0837

SHA512
ef3f264e57f6e12244ff425bfbab874c953575bde69e43dd6d518b2df309122d24af3229de4cc7c4cf8c6d71001b3cb9544d0cd9694c94bde890a7d7c6940e16

Download Submit
C:\Windows\SysWOW64\Gihpkd32.exe

Filesize
143KB

MD5
36a21da11d408ee60007d03c876753d8

SHA1
88249ea98a210e6387ad6ff8c8fe0c4a432e7e9e

SHA256
ea994200cea083a097f45d646bec56d6eda5ed803abc43ab00143e4b75c1937a

SHA512
594cdcb05dec210ff450c4859f4f328ca834e2f8d40c48aa59d2402f8dbf03f089869b1c3c3fde285a1055743bfef5a37884e9221be8794ff290a6112e52e800

Download Submit
C:\Windows\SysWOW64\Gpdennml.exe

Filesize
143KB

MD5
65ea28d984945503f857d8f80bdb6f5b

SHA1
b550e187a44228ee74c0ea04d1ef36727ceb641e

SHA256
79e9c9b793a715e07c103c62599c8e9d66ca11231fa62dd0eea292294957224f

SHA512
cc02f722cc7c4765d04cb2d52d1b5525eb346ad543bb74bd9aef3aece79fc0b0b96c543134d9cb8a38ae6371a981c9253455976d57a1df88f88b46ec4b73192d

Download Submit
C:\Windows\SysWOW64\Hecjke32.exe

Filesize
143KB

MD5
85666a21e96807ba5c2a178b3209cf77

SHA1
7891e49315eab1132a5db9f1494b2764275393bb

SHA256
258e5d305618318f0fe57b43385f5b713dd8a8e0e9257d7322c770cc75fc55f9

SHA512
808845890fc5f5ae05fed24c201d79785764aba546950a4c826d3a4eecd7059548cea1ed44cff122652d7606961060d72707c35a55b77a5ad7e79cb797e769dc

Download Submit
C:\Windows\SysWOW64\Hemmac32.exe

Filesize
143KB

MD5
79f9ebc0e63896914f6c1f5aa73740ba

SHA1
285d1321f499815f8286252868a1a19793d28559

SHA256
7fc65abda51f3e6562af8f763d36632730ead84672c8932263064c9a29b60bde

SHA512
9c103c714f867e61ea08acdc93b448643ea3bf3640609725981166550e5821129faa47a5e8a83d11cb1e5a40eff79bf934261dea794f15fa5e3533b3b7cb5a8a

Download Submit
C:\Windows\SysWOW64\Ibgdlg32.exe

Filesize
143KB

MD5
3e8d68dd4eb31c0e6fcee7546c09f386

SHA1
0a29677d540d527c72304a0a3815785787a97d87

SHA256
633513b68f63c8defaa0f515b5a8f6691aac31c8fa1e7c839414fcd4eb79789a

SHA512
978c6bd74765266b436970d04260309aafc3609db6fc5c05ae2ee1b7e9f75874bbaf96b40657f64928840cbfa3671a82e747a43c9c2a9cd65faa0f6f3f8dce1d

Download Submit
C:\Windows\SysWOW64\Ieagmcmq.exe

Filesize
143KB

MD5
80a6044a0355dae03117d09af0809e2f

SHA1
f521912cf0b0fec62c6aa64d435dba435566b2ee

SHA256
bf94f746b41faa3189199520d5fb64408a63c784b32c1d24c5daf60985aee03b

SHA512
883ac7406fae8c11d7bbfa3ea9c57123a5159d53007fdb677ded70c79ba4f9cb2550ee1356cfc77a104ee45e17a1a0b909c2f083051932658a1f4e46541268af

Download Submit
C:\Windows\SysWOW64\Ieccbbkn.exe

Filesize
143KB

MD5
34ae870f9252483db317fa87bd901adf

SHA1
a6dc4b388a548dc869a050f922c13205dba3a232

SHA256
eeaba731de771e7fcced09a4d1e88d355760910adba94614a349efbdd004ba16

SHA512
9385b3af4cd8ae59ac28c4364bf39522a1d4055c8a8b279e2cc3e5ac754e10df965c25cbfd588d5dbda2511e0307ab2492c38701528e5aa45659618e4a7bfedb

Download Submit
C:\Windows\SysWOW64\Iehmmb32.exe

Filesize
143KB

MD5
d23e1181e73fe82213a636fcc6d74526

SHA1
c5a6c5a9d6f942c57484f09d375b4418a26d656a

SHA256
b633a2b24fa9a910b4dff0c2d87948ebc8dbc5df05bdbde4fa6e21e55c94bdf8

SHA512
c3edbc76a5525ac76c7aa366e7e72be76f4965571c434bfcaab045ecfb8642a2b4aad882e8ff5c8f8efefbccf9d00f4144f282c2215a3cc5ad99cbf378f1ca25

Download Submit
C:\Windows\SysWOW64\Iijfhbhl.exe

Filesize
143KB

MD5
0d7ce51f763569374daeec5aa3f48c4a

SHA1
3aff9917052431e7fbda765bb4100c1c7caa4a2d

SHA256
b4b601aa49b750fd10a99934d522f4d45a2fc6578dcb74dbf91546b411b774fc

SHA512
200433748efdb149e9f72bacb7ce6b51bc801fcf918683eb9753fc7e062a7b2a29db0716cd3381cfd4fd4e866fc7a42f3b86ae339b8b46f89dc345dbe2944829

Download Submit
C:\Windows\SysWOW64\Ilfennic.exe

Filesize
143KB

MD5
e02900acf6d53e3cc90ebb80a754b1f1

SHA1
af575f3bfcf78ce928d55cd83ea805522936b43d

SHA256
87181fd2ae88afd75a7e62f7c7a116677c2bdb990b07c383b43186d4c2a4d99e

SHA512
9339d724eaefa1ecc50d025183957b94564275a055199398938e899026a36189d8e92ec3b3a634cfd38cf1d19bcbc6787b157394488529844c9b21b60808c5c2

Download Submit
C:\Windows\SysWOW64\Iogopi32.exe

Filesize
143KB

MD5
cbe875dec2ad53e2b0d3516cf4e3b2e9

SHA1
f733c267d59582a9ad167ad2bda6b6643dda4089

SHA256
1212784348c94178ff476166eb1e97d27b2011ad3f09a69c4640b8cfedb99124

SHA512
d09cfcefc48a2d4b7d8d0cf3d14f64aaa6bc2955ec215ffb25dd3178555eddee9203255936e537d4ccb44bda9dcf56e1786c1f55bbdc876ea63b9ab6532db2a9

Download Submit
C:\Windows\SysWOW64\Ipgkjlmg.exe

Filesize
143KB

MD5
daf58dac3d9c6ba4a0fe24dc1848beb3

SHA1
88f252dafba28d10af42da40174335543ddcfb3b

SHA256
aea02a0be264f5b282528c96c3c40a4e1fca2b227f718e85a1b24d55090c7193

SHA512
377196b38514822d0b09124554afe60a3f8e102cd7298ff0645dc17087a9662aa0cae617c63793f196b4a1f59c2b720a1cadd40f27796c49d731e7c73feb1fde

Download Submit
C:\Windows\SysWOW64\Ipkdek32.exe

Filesize
143KB

MD5
ced2646816a3f8419cd23a27e220af44

SHA1
f6745614c55277ec78e8fce7af5e79313c2fbbeb

SHA256
9b57dc220d6d0d999e9dbc0e4191a245f0b58461f61dec9428a8b31967b350e9

SHA512
b848fdea902c8e85a7071cbbe5eece901382a13847bd7292cea20b4515887e30ca3ff2128b3178268454a08ff9931c4ab9dbf64e6bfaee697a17bd47d7769941

Download Submit
C:\Windows\SysWOW64\Jbccge32.exe

Filesize
143KB

MD5
15031e4a4ce4112bbb0464add6948465

SHA1
bcab28a2a5bc0d58b31fc2f1ba6864b59674c29d

SHA256
f86a263d3296db0c168c5d5b6ae33a1aea8066f5e3ef0035c7825db500c08d38

SHA512
1749bd98ea4685642c2e124f5731e6e5395367d78bb7408b279daeb8b67930a450c77ae7175d9821e1b14791e6dde640639f6e2efca983a30c7f2805fe8281c8

Download Submit
C:\Windows\SysWOW64\Jbojlfdp.exe

Filesize
143KB

MD5
219d75bd96b6b1b84f4a3ef0b264d322

SHA1
d9035cc99557dc4ff9f9d141de32d880a64b9a80

SHA256
d48cf969c3c441828fb3b566a10e123b2cb74369aa66919308bc4f8e00c56406

SHA512
5605a618dc76dc7b7ac15261a95932e6fb456fc5b7054bdbfa2393d751d5eaafeffab92d957b4cd96d2a5afb45f14a61dfc4b692cca70172d14594bd58ce91a0

Download Submit
C:\Windows\SysWOW64\Jeocna32.exe

Filesize
143KB

MD5
5ee926f5e7a2ece8309cc23e853d7d89

SHA1
41eb3a61f40b91e2ce04dc8822c03b941a5594c6

SHA256
3da0015a5d4d89eda7ac43f6bc24e3e9c18fb40b08ebd224d0200a44252a110a

SHA512
b274fdf47e01afd57aea0ec6c09315affcdba68316c4ee7e8ac01c746991d84328317d990275207de8edbde9f5698b2c4d76f3932151c47a62b880586f224c37

Download Submit
C:\Windows\SysWOW64\Jhifomdj.exe

Filesize
143KB

MD5
0f1eef9c197de03d79d36eb78e895bde

SHA1
cbc0869c5c220827530e90d5c13a596ca541524f

SHA256
93687097ed13528cea531363d7bc05501a937f69c65dba6b53dc697af2a5b677

SHA512
9c8274297993e816a8fd6c2c2276190b9574968b1a3ef61b9a7091604932f15bcce7221319c392dddc87223cd7df1751e27c8a0f28de30f80af9464cde594856

Download Submit
C:\Windows\SysWOW64\Jikoopij.exe

Filesize
143KB

MD5
0c51ead2b1db1b3c98972436e0a21484

SHA1
faac5d1db818d813f09f33e08cc59298d5701b63

SHA256
289a8a083c15da6f7c7a48806d9e333bfff7437e91ea1b42381d73685d31a595

SHA512
90ae3e7e1c69162b4734e7a346622341f03af78adac9f690f8fd00353f523baeebb9cc9c1107b9a1962bf73571b0e9564cac6a6783339bd147ebc1616ce7d93b

Download Submit
C:\Windows\SysWOW64\Jlgoek32.exe

Filesize
143KB

MD5
bca18b290674c43e0c562a4034512479

SHA1
6274d5c1c0b79aeaccc380e8d27a81868fa88ee9

SHA256
cc60d4de7265a825384ff5848b4556a36e5bc7ba72a1ec57d10c67b62dae665c

SHA512
57391bb697670b1e8f1fa3ed00a4fd6d23035e2e89dc9674b4971d9a17d720e511919206adb543d3dfe79315aaa35be27f1d0b69284f6ff7cd3d24216877ba12

Download Submit
C:\Windows\SysWOW64\Joqafgni.exe

Filesize
143KB

MD5
492f28eec73814628533cac547b29833

SHA1
c5d2f1ffc2954f8d02669874b4d730f91ef5dd4c

SHA256
1b7d0c3dcf183539d1298649e4174cfaae7b16d203b28cb7464349c8c816abe6

SHA512
7a5642058f3a50ae059500840ce0f9b32329b61f5753fdc74da0f73dc2ae0d25eb06806fc932fefb12d70b4e7e7b8f9c241173db9c81c281606a1acecbad2842

Download Submit
C:\Windows\SysWOW64\Jpgdai32.exe

Filesize
143KB

MD5
047bad9ccb1b518f841dc2f3c0225245

SHA1
88d391f1d301e1e325fae8d2eadb18969e3eaa62

SHA256
989059d44fa1ce368bf95389374c2f2e8c988ec1e46284e83a3ad8fcf7c14a0b

SHA512
dcb735390fccdc821dcf8565d9084052e422adc51a6fc4ff766e177e23c4d56467927a3e10ab10997f5d8a2c9feb992c1a1447f60f344f904d19a8b4dcdfc8a1

Download Submit
C:\Windows\SysWOW64\Kabcopmg.exe

Filesize
143KB

MD5
7b478c3ec5a1435eb58e294135382e3f

SHA1
64ebd3a71729c88793cc9c72c99b3427c64a1631

SHA256
8b644e3e874acd6cec343f9be3cc93416a296b202a707e9a9a6a07afe8f8779e

SHA512
19ce874ba1f78df69ba727f638a1f2fa5b8799adcde4f6902477e635d9664badc8c5f73752e3fb0c3756e949de81d5bd6eef725fee37259c4c583dbfd745b18d

Download Submit
C:\Windows\SysWOW64\Kapfiqoj.exe

Filesize
143KB

MD5
c89028f2531fe98d7fa6235322e680ce

SHA1
23c949ef881314b50dbb54a1820108e98aeecf4a

SHA256
095a20cd0851b22d185ca563e7b43347365c0e67f675e718e273eb1c871d3ddf

SHA512
67c7077808065081aa785477e5d4a73decdd8b2a201d858df7f6a6cb24ec108f1f2cf2ae38c95734db5b16c0cf57ea4237043bc44e152d0ef5aaa32413c75024

Download Submit
C:\Windows\SysWOW64\Kcjjhdjb.exe

Filesize
143KB

MD5
598d2135940278619607c27e1c734bba

SHA1
af93a3e1ce757a4ae85c2ea32806f07719ea2a29

SHA256
94c8fbeb82d0112f984cb5a0b91f382de2fd6973338b86b14ad801d8fc12bfdd

SHA512
d76afe90df705889a23b01d2ea883a8cdf5e3bec746a43cef0f3fc40b29b702f3bd3af66a5669e3d173af7c78ae30b03daa0b45a5dff447a9f78549491ff44eb

Download Submit
C:\Windows\SysWOW64\Kedlip32.exe

Filesize
143KB

MD5
23fbaee02a1d9f4f8789452314f5f1e9

SHA1
2290a26b0d10f98aa86ed7a54a77436d52aaba67

SHA256
9af81083db151bfd4fd0eb9ab55a444501a14c364c2e297bee03dec306975add

SHA512
66d416383dfc53398cfdcf2e6cdc3e231a69ffb41170a91cc812812f11b2dd772c28cf2b28a51fc9e62148fa3ea4b8d4ab2dfa950f7266ad49f70b289fdadd3f

Download Submit
C:\Windows\SysWOW64\Kefiopki.exe

Filesize
143KB

MD5
a22fff2c599a2b6525653b8c4b32ea86

SHA1
63f740f77d03f449734e21f1f6f4899c3f2893ca

SHA256
4db32e00b11d3f574a585bb4cc1c09799b0996f5715d09ea2c364e7c5d86f87a

SHA512
c20cb855b38f096d387e1cb398c7e1c7acea3bef2752c6b0aed688c4930ce505991b25d904bdc08650c30d0e3f0e3d956f500d1c2db1f1bce80687a555a78140

Download Submit
C:\Windows\SysWOW64\Klbnajqc.exe

Filesize
143KB

MD5
809c21cade57176a45c5063988c97ded

SHA1
ea9eac119c8709243df9766225b487e47823d409

SHA256
17e0ee20dbf9c9188792f9b2fe454c5ee64212425866cd28dafc811dc0f390f6

SHA512
fc8e740d12d3d98fd92167a3c2df1cfea15026abd453fc5e470f819149f6c23a73e213cb0978b18958af05db531c65a06e052bfb8c1f1d596ddce74ae33374a7

Download Submit
C:\Windows\SysWOW64\Klekfinp.exe

Filesize
143KB

MD5
21da689d47d3eb69c48bb5f4e39c0ec6

SHA1
80b1ebbb524047939f312f888af3ae191fcff364

SHA256
a3aaef6942e8953a239dae8d2144f159c43bd16f4f3c31aeff35350979923530

SHA512
1e055f2a6bee8cc4738867363a7853b8ae35f49ce3c569b3b11324f8e236cda2664a7e035a0a2203acb3d9520a114e176fd90b91e6da399441ddf33742bc6ec4

Download Submit
C:\Windows\SysWOW64\Klndfj32.exe

Filesize
143KB

MD5
2b5004e0fdfc67991404caba1699271f

SHA1
f100184bf693acb2e7e2537fd87d28a173bd326d

SHA256
3527a5566819c89fc72bc0cfe41d2f011f598e5f74067cec6c15d6c646f228bc

SHA512
6c16b2277449913e212d936973cecd56ae42b619eb62dfa0e29d147c19c155f3c904ad5207048fe5edab22e6cc801d5afef2652619c1b82cf451b283816ef4ae

Download Submit
C:\Windows\SysWOW64\Kpccmhdg.exe

Filesize
143KB

MD5
bd1fc9f40219ca02f7c5cd22f8c8df19

SHA1
cc6a2454f56738f5040b52274283adfe09f8f170

SHA256
ac285da03b04e824cd5c4f8ea20a65708b44e299edfa7d38e033aca2fbbe4c81

SHA512
2956b82d7d407dc7fe21d4287c295b874b5bbff5cf80a858182b54711eecf3206b8b32f37653a4197685932e2c16acc3a4a9fe444e184b7bbcb816335f912266

Download Submit
C:\Windows\SysWOW64\Lepleocn.exe

Filesize
143KB

MD5
fa7b3a052c7dbbbcb54985c7b4560667

SHA1
716ca829e25fabffc5c8da12cfa96d88838bb4c5

SHA256
d341d927745521d195c2a981f90bf1845907642bf1110725f125a26f10e89697

SHA512
c09d91edfed7aa73f9549c80c0cdd6c615ef2dc074774b70ad9c9511698451c522b10314bdd288f9174945149cc4aaad487616990acc7d89c707f53f80a7dd8e

Download Submit
memory/116-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/116-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/240-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/240-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/460-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/460-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/680-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/680-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/852-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/852-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/880-74-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/880-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1052-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1052-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1264-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1264-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1268-102-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1268-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1412-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1412-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1504-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1504-123-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1636-5-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1636-66-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2324-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2324-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2404-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2404-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2416-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2652-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2704-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3080-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3080-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-60-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3128-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3128-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3320-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3320-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3412-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3412-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3812-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3812-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4100-94-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4100-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4252-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4252-67-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4460-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4460-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4508-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4652-59-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4652-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-35-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4912-272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5068-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5068-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads