89683e01bca05b4145274aa624204968a066ecd646026dbfc4a42977d6de45d4

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89683e01bca05b4145274aa624204968a066ecd646026dbfc4a42977d6de45d4.exe
Size

67KB
MD5

e914a7b0684072616394389dc31ef730
SHA1

4eff225d0b0ff39206e97bdf6560ce14fea92670
SHA256

89683e01bca05b4145274aa624204968a066ecd646026dbfc4a42977d6de45d4
SHA512

5a6a15a213626f1bab3296491d1f35cb6c1c15586eca1f92a88c47f636cb95dbbc9687dea6d498ed05c937bfb58fb2368fb5a1e91fd3f9b68bae8f4efc04a1cf
SSDEEP

1536:n7yUoALl9hX1nvNBRM37Vfdffppprzk3vipa2RQkR/Rj:n7yU3DnzypfdffpppPkfiprekVx

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klngdpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pflplnlg.exe

Executes dropped EXE 64 IoCs

pid	Process
1476	Kebbafoj.exe
1728	Klljnp32.exe
3260	Kdcbom32.exe
1040	Kfankifm.exe
632	Kipkhdeq.exe
3924	Klngdpdd.exe
448	Kdeoemeg.exe
3324	Kfckahdj.exe
3052	Kmncnb32.exe
2104	Kplpjn32.exe
1580	Lbjlfi32.exe
5016	Leihbeib.exe
2696	Lmppcbjd.exe
3220	Lpnlpnih.exe
3140	Ldjhpl32.exe
2376	Lfhdlh32.exe
116	Ligqhc32.exe
4388	Llemdo32.exe
4240	Lboeaifi.exe
3312	Lfkaag32.exe
4076	Lmdina32.exe
3316	Lpcfkm32.exe
2856	Lbabgh32.exe
2884	Lmgfda32.exe
2880	Lpebpm32.exe
5104	Lbdolh32.exe
4820	Lebkhc32.exe
4380	Lmiciaaj.exe
3724	Mdckfk32.exe
868	Medgncoe.exe
4744	Mipcob32.exe
2840	Mpjlklok.exe
1944	Mchhggno.exe
2272	Megdccmb.exe
2252	Mmnldp32.exe
3224	Mplhql32.exe
5064	Mdhdajea.exe
2480	Mgfqmfde.exe
4052	Mmpijp32.exe
2364	Mpoefk32.exe
4964	Mcmabg32.exe
1752	Migjoaaf.exe
332	Mmbfpp32.exe
4616	Mpablkhc.exe
1724	Mdmnlj32.exe
2188	Mgkjhe32.exe
3296	Miifeq32.exe
2208	Mlhbal32.exe
212	Npcoakfp.exe
4640	Ncbknfed.exe
4324	Nilcjp32.exe
1680	Nljofl32.exe
4284	Npfkgjdn.exe
1788	Ncdgcf32.exe
960	Ngpccdlj.exe
2432	Njnpppkn.exe
2072	Nlmllkja.exe
4840	Nphhmj32.exe
3016	Ncfdie32.exe
5108	Neeqea32.exe
1644	Njqmepik.exe
2984	Nloiakho.exe
220	Ndfqbhia.exe
5020	Ngdmod32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Codqon32.dll	Nljofl32.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Mipcob32.exe	Medgncoe.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Mgkjhe32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Kipkhdeq.exe	Kfankifm.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Llemdo32.exe	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Mipcob32.exe
File created	C:\Windows\SysWOW64\Megdccmb.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Benlnbhb.dll	Lfhdlh32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Kfankifm.exe	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Hhmkaf32.dll	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Amhpcomb.dll	Lmdina32.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Ldjhpl32.exe	Lpnlpnih.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Jphopllo.dll	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Kfankifm.exe	Kdcbom32.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Kdeoemeg.exe	Klngdpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Lmgfda32.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4584	6688	WerFault.exe	284

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klngdpdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namdcd32.dll"	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphopllo.dll"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnjpohk.dll"	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ngdmod32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 1476	3372	89683e01bca05b4145274aa624204968a066ecd646026dbfc4a42977d6de45d4.exe	84
PID 3372 wrote to memory of 1476	3372	89683e01bca05b4145274aa624204968a066ecd646026dbfc4a42977d6de45d4.exe	84
PID 3372 wrote to memory of 1476	3372	89683e01bca05b4145274aa624204968a066ecd646026dbfc4a42977d6de45d4.exe	84
PID 1476 wrote to memory of 1728	1476	Kebbafoj.exe	85
PID 1476 wrote to memory of 1728	1476	Kebbafoj.exe	85
PID 1476 wrote to memory of 1728	1476	Kebbafoj.exe	85
PID 1728 wrote to memory of 3260	1728	Klljnp32.exe	86
PID 1728 wrote to memory of 3260	1728	Klljnp32.exe	86
PID 1728 wrote to memory of 3260	1728	Klljnp32.exe	86
PID 3260 wrote to memory of 1040	3260	Kdcbom32.exe	87
PID 3260 wrote to memory of 1040	3260	Kdcbom32.exe	87
PID 3260 wrote to memory of 1040	3260	Kdcbom32.exe	87
PID 1040 wrote to memory of 632	1040	Kfankifm.exe	88
PID 1040 wrote to memory of 632	1040	Kfankifm.exe	88
PID 1040 wrote to memory of 632	1040	Kfankifm.exe	88
PID 632 wrote to memory of 3924	632	Kipkhdeq.exe	89
PID 632 wrote to memory of 3924	632	Kipkhdeq.exe	89
PID 632 wrote to memory of 3924	632	Kipkhdeq.exe	89
PID 3924 wrote to memory of 448	3924	Klngdpdd.exe	90
PID 3924 wrote to memory of 448	3924	Klngdpdd.exe	90
PID 3924 wrote to memory of 448	3924	Klngdpdd.exe	90
PID 448 wrote to memory of 3324	448	Kdeoemeg.exe	91
PID 448 wrote to memory of 3324	448	Kdeoemeg.exe	91
PID 448 wrote to memory of 3324	448	Kdeoemeg.exe	91
PID 3324 wrote to memory of 3052	3324	Kfckahdj.exe	92
PID 3324 wrote to memory of 3052	3324	Kfckahdj.exe	92
PID 3324 wrote to memory of 3052	3324	Kfckahdj.exe	92
PID 3052 wrote to memory of 2104	3052	Kmncnb32.exe	93
PID 3052 wrote to memory of 2104	3052	Kmncnb32.exe	93
PID 3052 wrote to memory of 2104	3052	Kmncnb32.exe	93
PID 2104 wrote to memory of 1580	2104	Kplpjn32.exe	94
PID 2104 wrote to memory of 1580	2104	Kplpjn32.exe	94
PID 2104 wrote to memory of 1580	2104	Kplpjn32.exe	94
PID 1580 wrote to memory of 5016	1580	Lbjlfi32.exe	95
PID 1580 wrote to memory of 5016	1580	Lbjlfi32.exe	95
PID 1580 wrote to memory of 5016	1580	Lbjlfi32.exe	95
PID 5016 wrote to memory of 2696	5016	Leihbeib.exe	96
PID 5016 wrote to memory of 2696	5016	Leihbeib.exe	96
PID 5016 wrote to memory of 2696	5016	Leihbeib.exe	96
PID 2696 wrote to memory of 3220	2696	Lmppcbjd.exe	97
PID 2696 wrote to memory of 3220	2696	Lmppcbjd.exe	97
PID 2696 wrote to memory of 3220	2696	Lmppcbjd.exe	97
PID 3220 wrote to memory of 3140	3220	Lpnlpnih.exe	98
PID 3220 wrote to memory of 3140	3220	Lpnlpnih.exe	98
PID 3220 wrote to memory of 3140	3220	Lpnlpnih.exe	98
PID 3140 wrote to memory of 2376	3140	Ldjhpl32.exe	100
PID 3140 wrote to memory of 2376	3140	Ldjhpl32.exe	100
PID 3140 wrote to memory of 2376	3140	Ldjhpl32.exe	100
PID 2376 wrote to memory of 116	2376	Lfhdlh32.exe	101
PID 2376 wrote to memory of 116	2376	Lfhdlh32.exe	101
PID 2376 wrote to memory of 116	2376	Lfhdlh32.exe	101
PID 116 wrote to memory of 4388	116	Ligqhc32.exe	102
PID 116 wrote to memory of 4388	116	Ligqhc32.exe	102
PID 116 wrote to memory of 4388	116	Ligqhc32.exe	102
PID 4388 wrote to memory of 4240	4388	Llemdo32.exe	103
PID 4388 wrote to memory of 4240	4388	Llemdo32.exe	103
PID 4388 wrote to memory of 4240	4388	Llemdo32.exe	103
PID 4240 wrote to memory of 3312	4240	Lboeaifi.exe	105
PID 4240 wrote to memory of 3312	4240	Lboeaifi.exe	105
PID 4240 wrote to memory of 3312	4240	Lboeaifi.exe	105
PID 3312 wrote to memory of 4076	3312	Lfkaag32.exe	106
PID 3312 wrote to memory of 4076	3312	Lfkaag32.exe	106
PID 3312 wrote to memory of 4076	3312	Lfkaag32.exe	106
PID 4076 wrote to memory of 3316	4076	Lmdina32.exe	107

C:\Users\Admin\AppData\Local\Temp\89683e01bca05b4145274aa624204968a066ecd646026dbfc4a42977d6de45d4.exe
"C:\Users\Admin\AppData\Local\Temp\89683e01bca05b4145274aa624204968a066ecd646026dbfc4a42977d6de45d4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\SysWOW64\Kebbafoj.exe
  C:\Windows\system32\Kebbafoj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\Klljnp32.exe
    C:\Windows\system32\Klljnp32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\SysWOW64\Kdcbom32.exe
      C:\Windows\system32\Kdcbom32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3260
    - - C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1040
      - C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        27⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        35⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        36⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        38⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        39⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:332
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        48⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        50⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        54⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        55⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        63⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2084
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        69⤵
        Drops file in System32 directory
        
        PID:3920
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        72⤵
        
        PID:736
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3548
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        75⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        76⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        77⤵
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        83⤵
        
        PID:400
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        86⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        89⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        90⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        94⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        95⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        96⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        97⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        99⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        101⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        102⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        104⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        109⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        110⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        116⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        117⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        118⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        122⤵
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        123⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        124⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        127⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        128⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        130⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        131⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        133⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        137⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        138⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6152
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        140⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6272
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6344
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        143⤵
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        144⤵
        Drops file in System32 directory
        
        PID:6444
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        146⤵
        Modifies registry class
        
        PID:6528
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        147⤵
        Modifies registry class
        
        PID:6564
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:6612
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6656
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:6700
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6760
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        152⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        153⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        154⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6892
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6932
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        156⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        157⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7056
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        159⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        160⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7144
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6164
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        162⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6260
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        164⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        165⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        166⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6632
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:6708
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6780
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        170⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6928
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6960
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7048
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        175⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        176⤵
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        177⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        178⤵
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        179⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        180⤵
        Drops file in System32 directory
        
        PID:6856
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:6964
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        182⤵
        Drops file in System32 directory
        
        PID:7052
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        184⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6756
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6900
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        188⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        189⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6968
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        192⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        193⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        194⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:6688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 416
        196⤵
        Program crash
        
        PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6688 -ip 6688
1⤵
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afmhck32.exe

Filesize
67KB

MD5
192852465d7185101f177f0ac813850a

SHA1
40c0e2c6cd95ba364831bdef61b73e1b3f202b8f

SHA256
8c40f60e447d86796f21081f57db3a4241f8d98c2367628353698b0c2b3f3e62

SHA512
8cd7c2fdd7149c1e99a05018bf55c74cf27ddb4ad3dd96a2e0f14037259a23a5439bd0dbf9d6d8135e1c426c27eadc88887bbb83fe0d779d250a9c82e3817f6b

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
67KB

MD5
fa7dc5a25384088de76b36704e8e5bc0

SHA1
1787cd962645418bb85750d792a9cc50f1dc4bc0

SHA256
756caba68f898f29ef176125099956b98d2652752443ca8ec7185e7c9479ca1c

SHA512
0dbdaf0bbc2bc9f80ee66ac94746d172eaa310b4aee97ce664bc90cfc0d384b8232c0fe93639dd7f70043a01c4f576ef60833978d86709223049296b41dbeaec

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
67KB

MD5
c5969d7f02c031f2cc9ea4f5bd652e0b

SHA1
b14299292a6c5677a306115a8d1be3423fe08b36

SHA256
637f43755e0aca3b5c7856105ef578b10e99bfa3f70ce978b0f2517fe08c92f2

SHA512
2050778845708a5b3df7a377dec74435ba3d82136029c69cba180bbb9fbc812a968cca8a252c92222db8710526850de43e7704ea54eca349b8bd90b295af80b0

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
67KB

MD5
de1eb37c64d519fb826f36627c806510

SHA1
2089afa448e6fe04128f1223f7faee988bb8f96f

SHA256
d13c3ebfb69ce298b9a4d302d6ed75cc714f8dfcd2a9d2ae8b3875801100b11b

SHA512
cff7540f78fdd823fffa98c0ff60a7355126cf9c5fe572bb0137cbe97244ccad340d98ebe99b2814610422526b0b6c7f0f3661d9e686c56412391014bce0ef15

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
67KB

MD5
61605156cf32ae73c068ce238af22d80

SHA1
a94295bd10ced8ad9d3a68ad93184868fefc9864

SHA256
3532f7ad7757937d18e56a797ed32ed69f745df26387a8b9c0c6956e680e37e3

SHA512
26cd6f4741819ade1ced97d294cd1cfe60e38cbd053d03db433380f5d778b2e28aa4da3cb4972dcd15c2546292332e0d9f72d363e0c6dab297ccfe13359eae6b

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
67KB

MD5
fc81dde21130a47f3ab0cc167c03f76f

SHA1
0ab13b678837136500a38c7a9dbe4f1041b7a6b6

SHA256
95fb6665e71ba74a3ffe2f920069b15aa83451a526346e7aa5a54c8fe44e103b

SHA512
da0094258116d2d23f0fdab021e49ea8d3e5c6b885f3a9301b73e60a197d2e9e1d77667f69b91d29fafdbb26aa3e54ad32702d79b1efcb8e889fe27d298e01c2

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
67KB

MD5
b1bc8701fdbfc44826feae4f49dd46e8

SHA1
adfe3f27504a1a2ae3c515080ed25e3dd388e5da

SHA256
8652a6dfa7899c0c5e1f7d01092a559e00c500a4ec2d8a789cf916e36474dc36

SHA512
fd1a321525711107ad9373bc8c7e51f8e4c431db2ec0b1f0d4fc20801dde525975ae7a459f520e96506011246047f0be0ccf6fdfc62dee1a84837692e960b998

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
67KB

MD5
f3553892f97aff0eaccb2677f68538b9

SHA1
f68ca280e1781d3c20926f84a6c38ee9d2b31a5f

SHA256
c489cc2bc746757ab91923555e50dc2cbc876052f6cbb61864eb5f7d5e9616fd

SHA512
90e7bf86a24571686d963919b6d286a0dd9d0a756cc7d257cd39be2c1c7113f26d55eb91eb4dfeb9a51d61ad9185c9375baad54635dc016b7231155913b1fd4a

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
67KB

MD5
7b4ef78606d13ea359144252ecfddbdf

SHA1
76a2b953b47bb7121fcbbf53306049efca422de9

SHA256
efc5daa5d24736505ac12cbfca88d00db9718f44f2d7a01e0d0bb7e949637f85

SHA512
f559d85f64c7348293ad77e04717429d7dd63e819a95291189d3e0f71b77460034a456b73d8c1bf9c5483ee3ca656b1d1bb084a0e6625dc962e3c5d30e2526e6

Download Submit
C:\Windows\SysWOW64\Fhccdhqf.dll

Filesize
7KB

MD5
fdd9dd32f040e7a5cafc0dfeebfaa551

SHA1
b4ebc04986ec7a1ac45004ad0432784b8503f93f

SHA256
c99a341eccbd9524c467561ead5b04d68631ea8af6bd39c511860e0968befec9

SHA512
a64c96fcf2d410c284efab9dcad983c6f92fe8ccab1da8e4319ddcffd5ce5477a64046ff6fcede852fabc99eb74f6b71b9f2041f242ac9b3196300b0f386e163

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
67KB

MD5
655d87a9865c8dfba6211ec7a2936f16

SHA1
b184ee291d57d852952ea99a229490a1a37f02fa

SHA256
70935b6ba4ec8a9db23a4770992bdcf143160cc02f3baf7df3a2a2c1e6eb36a9

SHA512
dc644449042ca7e1b951ceaac44fd709ed7314e8de9dff3699819b39a22fbdaafed47e625010b643905a9d8b21244831461e8940491df8b5f9b6aea8e5ad8a09

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
67KB

MD5
df2bdffad461d00e3be45c1a185bba84

SHA1
2693f73f1ae58fad0d6a363540b3203a9a1ea5da

SHA256
5d8a5733e8dfe0238beb001c5814dd2099eee9eabd0f92e662dc769988177e0c

SHA512
0fe1f75f6372d451e36ff48bd96aef0db0fbcfd3b828578308d59c7a59fc76a8693a317f834620425aa837ac97258307c2ec70850fe1d3aabd2d43a8539e4e7f

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
67KB

MD5
7aa2bae242546dc66765489a822e7d8e

SHA1
d24d4e05af61ec685a9d943aa83647e7ce7cd6a5

SHA256
1356dbaa3806ed21d35e2288426d6bd3688255969110998dac92138ff5f313e8

SHA512
30d2965dd48e029e6e0a5039df989547e3ca3a6003ef14a3de0c33aa7966dd616955f8190dc9be85c5e5afcf37df7ebcab7fd30f6737838230a8da4e31f636ee

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
67KB

MD5
1c574fecdfc58d141a68b075f0c9f145

SHA1
048481ffe9c1e000980fb8720b3f2c2cc41b8849

SHA256
cdd7e05ff4b8b9d20a97e9a1550341d4aa23fde1358618afa85fb26095ad8895

SHA512
54fd951185928e16590e583726579cf37cbc84669778127556bb6c39d6a6db981864f5e33f2247d044f304168fc2fe5e80556cbab657e3e885621234e14ab90d

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
67KB

MD5
e3270f34bfcbd0320c5edab3a63285c1

SHA1
1b4e18934d400f56462044031a5262dd04ebdf4a

SHA256
808a61a5a661dcb659eef7e2de069706fdbebed77f8a260c1216451ad47c211f

SHA512
df5632f4d3d5b4f6e5759ab02a29ea5a4e17fa33176f3053095dd4e9c788504f839f3631f0dfb8818db55091fc1e2022d9911af1ef82281416148a03e2d50b11

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
67KB

MD5
f4cc1b6c47890c8d03710e000ca364f9

SHA1
8fd3de3f33d34ec45b4849f57e2656caf43c13c5

SHA256
25f7a23b2281ed6a907fad044a5f5ae7ad58195935f7a3333cbd591a57926015

SHA512
5b81004c13a044339e2618510b851eeab3a5ddd7725141f492d1c05580fc89b2669addf7b67547157ca053393b21e5122db6c534ca4ffc51b6fa4c3cb5f490e3

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
67KB

MD5
11cf7e937d1ceff4fa06a2fed0a4f796

SHA1
404db2853e666faa8a85b654762547cfdbd44215

SHA256
7911b26eef8047d071f8092acca21c234b2140c33d3c94e75e25798d5403bf22

SHA512
ed236c8b65a3c56b58e6aa19dbac4824bc604db66c3666281688b8140d9d2315f1d27fb63665596514286e435657dc8f581c15bd30601708298b5d511c0b4869

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
67KB

MD5
6eab69c6525d985fb9ae625815055748

SHA1
6628a168d85e91913ff3d6d3b56730c2b2a4c5d2

SHA256
4f08e7a2ed9572e36ac16674ca316ce51227b51dc2fb03c4685948cd9d9e3673

SHA512
e59ec7b75ede6320f2b75424534f7e91b7aaec29eda7c61f4ee46b9a66b9aadf4bc86458c72ef7bcff8998239bca9fbc93f74cb550516379158ed56669de9423

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
67KB

MD5
3211b19eeada3241d8a5d1c303655357

SHA1
c82b589a0d53a3600ec3e6b825a999e80f366691

SHA256
e9dfda57b94773c46d1a45eba95e73745ad71d0125623968ec3ff1a9943ec48f

SHA512
962bcece8dbe240a7462bb6baac8a0437997d7a90a7aa1c096f7bb4ac83a9151901796c49f9cfd165565b26be0c94253af82c4fe017e384dc43b05a63e2ce148

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
67KB

MD5
a56150997007722c3ccbf2a6100c4d2a

SHA1
c089c56f281be8804e9d894ccea974111f29a424

SHA256
0924dda00943dd5dceefc8c7837f83bd98dc4c7d3392c1c7e41ba67b886ab671

SHA512
bc07735d070ba1250f960ecd0e20677ee61911f4a6a7d9a53180f0eeda30895c05e2cc4d352e066baccc4f23ff603786385f6fd015375965b0b7fba3e7d42a89

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
67KB

MD5
3a892b50310b5c587408423005446400

SHA1
9929d4499452f2995a25a6d028f127e3396aa98a

SHA256
f4a98ea3db1044dce93442b89c047c3aee7a61fae0117d4873cadb172f2bad8d

SHA512
a4589759d013fd7109c0f73403bb985c6c1dc3d147dcda3b68de4df97503ed48721bb1bd39f73e1b47f7346821107ee3ab573c89711fc4633076733a51542d98

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
67KB

MD5
b8a65b6b5d082b544908a4df90769b66

SHA1
c5ff8379aa05a5394d809a5b12036fa586a39062

SHA256
af06df1ced4f3c359ae3cb9aa2e545b97687899bd80a10444572814076bb99f9

SHA512
6aec8be423dd4466090ded0d9fe97602649ddc30c4da430a683c764305c6ede894f966ad81b17fe6ae8e615b6310068046e9afa8b875105167f64485b52791bb

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
67KB

MD5
1817e5b815c90139bdd370d08b049953

SHA1
f69771f2480563f2fc20eaabb7c28ad76bef6239

SHA256
50a7e9616f53e1729baa4964a84dec5b48b32caca07e92d2e8bfd23ce9dd7e69

SHA512
7b9f8b90248bd526ae64f4ecdfbd5c47211054892df2cb244a8836f540b72d076d4fc05c14a75a0ef24f42d31060fb2d32b80e42c12e896509cbcd83bb418546

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
67KB

MD5
5e664eacbf81f849395b79baa14869ef

SHA1
5b734746292ded38710da6ee3009f52adece0621

SHA256
2ee563425096452aa82c9c36985686206ab11637856e3d77fb1ff4b8cfc69b56

SHA512
a2a192072755d1abe102ab7c6cfa856aa7cce213a68f2e819def96c33c4a0b30c02b7b274f030734c31f65f51e53b0ed49a1a312b731d9341c47e9b9ca763b2f

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
67KB

MD5
7ac3e9ebdbced0a395b34188436e9b4d

SHA1
c1c03d742ff0dadc8986139933627536939f7326

SHA256
4b971fdbbf61a4db29746f9b7a7deb37b5bec5d4c71b3404863e9bcdc21bec41

SHA512
4685df141b9e4f2e209ad717eb84266e26ac89b00b0ad8c9abdc9efe71fb4efadfd72e47f4fa0b95696f5fad5c93fa792b5da359bfc07ceee0dee13515d3617b

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
67KB

MD5
0e3ae5fe03336f2fee4f031543ae75f4

SHA1
9f6ef8915fbd103d05b3e8a9845253e64726d118

SHA256
0119f54df6b9ada2a8103bb6b1375fadf245e86374c02da73e2b9749767d7ec7

SHA512
0e94158c66f99d6a9f40978c33e86744feded966ba76dc0b9e76d8403ad2c4ddaec0b9c662047a586bf1155efb8348337db0ef46c6ac0b52a380e2f1b7bea06a

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
67KB

MD5
b525d3d45a59d23be8f16fe7996d7e39

SHA1
68531a2275823f51459d32153c1dc45840adf8ce

SHA256
38f74a5e790f1ec64d84b83302989d29ee2b7b7d93106c4404e6d5c981bda07d

SHA512
2f79873b5901a010f651d68d9a9e21020d56b30de793eaa27ec871c8bcab89c0b79a56e4d4e675ced93aaee1d417ab5b09b45e2d78f4671259b26362c1e15afd

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
67KB

MD5
1b0af17dfb9f990865b325cdd1402890

SHA1
ff160af436eb26e266841920b593305bac387a15

SHA256
a3d1d7f0a1b35b88e25bb27aa6d7c4814639d76f9abd378170b0efe4f9d94dbd

SHA512
993d247651b441be542d06219cc82176841ca0989f346a8a4318f679dbf8fbc2ed98af525d103ea74b94b726e61d27cd2da08b7d0379c4cac4811c1975a3dd05

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
67KB

MD5
6acb46d30669d7a398fdc7f87aa5f269

SHA1
33699d25b6f7b35af1c4348561e7ca84801bcf74

SHA256
dd175d76974bfcc4eba8b11e19ce482d19cb10fd4450025ff3c5b33a7785ab89

SHA512
8e256230070f0ab35267c35291585b08e0d70a0f4f3ab28179e6edc2234c1336ce7df5a2e7d1e32ad673bda6496385ac700c353d6cc559444a74f58baefe77a1

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
67KB

MD5
747840cba03acb0783aaaf4d205dcdad

SHA1
e6afde23d322a0f159cf5ec619b83707a42258d9

SHA256
28afdc8e411d5f08eeb618da03a1eaba41c7d1bc7264958feadc681aa979e11a

SHA512
974f9105596237fbd25da3af543c10092f8e6f928d0c031f2a9f2f994444084ed0ab696738b95f3a516431e0cadf2b00a7e1f389006e7735d89b78f8fb39d917

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
67KB

MD5
006bde4426d9aa86312904c835cf62ef

SHA1
ebae0e46581cd50395a8fad5ea73033a83f45377

SHA256
03dd2c723deb0dd73d2f34b802586d71894c4d45483b76109114ac7545b9837a

SHA512
102e809015d43e2c7186a8aea78ae2cd9c710ffae55b3e6855882363b85524382622df67bd6f5e5723a371f6ee3300ebcaa1627fa0d85c794576bccbb0719173

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
67KB

MD5
151753241a8dd048d352ec2178801b77

SHA1
3a009249b17514f624af8631b1284a885f27287b

SHA256
5d1221b3315ebd127c972c5177612cfb9cfe80ef08e94df4790f2991c9ac4538

SHA512
79ebfa8c7d796813c26a25a1e13aa28bbdbe7f91a4cf94d363675cdf3fae9e904430292d01d39d5a39e0acb032e71dbc37a128ed9a9523a5f87ffe84d39529cc

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
67KB

MD5
98616c4a2de7ab89f807f068bac603de

SHA1
1a7b722b5b1bd2b9bc51c81469a4889b46c5ebe5

SHA256
4f29c1bb9b582e66d065033af15def64791dbf96fd6ec92ae8a5ba0f2c8fe268

SHA512
64d5980b62fc4da9beb4b86d45447f6e7d35c1ec7f0d712bf248b03034c637c4feb24e65ec7f68128b24b8381ea48cc6f2723c1ed130eaf7e8bd7782e84893f4

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
67KB

MD5
bdf95736538a07ece6f45db50cf2174a

SHA1
6fa43b4120fa1f99c7110fa2ce2f1b1646476aeb

SHA256
ec05ba4e076c68ccb6892485fc55d280323679ecf9142cf59beb79653de3134b

SHA512
365f40907439475a81fdaf21df43f84f6272112c0b12d33c442420fe5651ec2ddd6bb75e3f24151786d2ea3409448254273e2704cfa4779b880e6bc784fecb46

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
67KB

MD5
da6ca5fddbd8b86275562df95cffd1c3

SHA1
4788be483399deb4db33beb9091bc6f1b0c8f50f

SHA256
e7d926ff96b5ac3fa965d1531a8fc1d467087481c77ffb2704f17f84c7b6bb4e

SHA512
647bca2258e7ed8c2b37d097e6fce80998481c85799723ae8b7a72030c35f9ebc364312b33e5b85fb52d972a17f7739d6551a787a8c1fa75402a67d42409fbfa

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
67KB

MD5
eebc35afa7d541aff9dce8c4f173fe92

SHA1
98a6dd144c36f2142c53ed391be24fbb31aa3d62

SHA256
ca3634b29901976576b5a22105f5265aeaf3364051748c8c9c70ef02b1525a5e

SHA512
727bdb97e8be28e5436b9aa99a0fb4c43da014347203d31cbd121cef0b8dbda8ecebd64356fdbd92c720665da0897f3674bfafc5bfbbcbabf5a2e484b6973365

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
67KB

MD5
4b324ff557b4342551b51bbc5fd92447

SHA1
275f0e296ada7535822eee146b3781abf588a021

SHA256
de08b1530b02287a7365e3b358b5044c9cc04d768ad58543d8c0922d2239cd0a

SHA512
6f9dd0d7f8a51f0169e0be1c875872a897c8db36e073e4d067551a777c60818c8f0e2843ab90d0bb6b7248b43a02149e84307d99ee868c6a76481ad1ffe6418e

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
67KB

MD5
618d21c865e4facb7e2b25571a187101

SHA1
26663b30acdb2a3b449ddf028f7904453cd78eda

SHA256
ab2b4f1c997c928904b2873a9c914977b8721cb3fff74449120a7581b9bc3c50

SHA512
dc2561643f453a7ba32bdd07ae56c8cef72ea89c228b0d86ddb30a84f1afcb8e17a89af96943d6256c2f3513c8a059c0a3c0bb78e63865466af29b54b029fda1

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
67KB

MD5
83550b5b20504013aa68739ef0d5e54a

SHA1
5b5f509b9c1b47865c181d79d49379f431399376

SHA256
d028b0dc9279d20a45381c686a1e3bb88440e48b66c6e634e9c4e48e3e7952fe

SHA512
578c58abecccd762f83bf83114f87ebf4cc3bee6885aac79299e0c4a5e859de591abe839c8e8ca21e6fc8653d693b1e3a515ded989d7fc8bce74b899421b1c30

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
67KB

MD5
3496073d47702a79029203d04ba663cc

SHA1
c1a069c7358325635c5bc1eca5e854a29d39b659

SHA256
53e4710383df14511f0c0f11ea826017a0729f7b1d92ed132e6435cbbc62e82d

SHA512
bbf48a949cb7b82b4e5c9df3fdb2e3660b0dfd8e30ab2ca79dc1a4e304ceebe3184706e011590eedaed0a99cf3111d1f8ad909330a5dbde37fcd9b74549d7111

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
67KB

MD5
3d2e00fc8b4010b64daff318fd03bf30

SHA1
aa1aed73303ed83b5d92838bc357e56b0af172b9

SHA256
d0ffae521530b94a0dc9eb1aa7325afb39934bae11eb3015aac77102e733e463

SHA512
6df2a9f5ac0291178a714b471e70da21eacb41fdf831bc31257bdcc93e63dbc0fee4b5839427db854f39f033d476583c0c8a00bd4ae0b5c9652d308a29fc4b59

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
67KB

MD5
0eaa936e9613d5cfc89d2f473ed01e7a

SHA1
c47ede1ba72ee5058754cb8b0a575ca8b6466947

SHA256
58613909b736ad1b10ec6041236177c79df5021b4103b5c9895b0120c3910706

SHA512
9aeb3d0e43f65683f7edf0023ef733a78c0888e774e93be797fc31a749d8176032aa42a8eef3e5a03d881c55024958477104c532a00d10f7f9cf65c310580ea8

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
67KB

MD5
4a2d5bfa01d0ea1c09b5d74c52c608af

SHA1
f1bcdccb8759117f6be739446ed24ba6ea6fd795

SHA256
ec158031425d89aa322186374fb6e43a7a18173a2192c86e6e1db37c3cc0ad40

SHA512
cd0e410c6d368db51f1413f48ec283e1c577d2176b3aca2ac12a9bd80db8f99afa73e96f40eaea9266e4cc0e9efc73d67d1afbe0c62654881fb06ce7abb2f6c2

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
67KB

MD5
7534f96e68b9f19be7a1b2195acd3578

SHA1
193a7facfb8164786c0e4d1ed55ef72fbec78747

SHA256
ec0211d94b679edbc4601421f9872d808d95be6fea5ac2df5a6a60aee7301d64

SHA512
13b728d88eb21c468f4de4dbe5881f819a4d35f98d53867a3d03aa9bea4d740474bc2b1c4ce18180cbe9e983fe1aa303ff926d9c1f9269a01d0bf88faa172e39

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
67KB

MD5
59dd2a8dcb77c935dc6b37ba5d49cbdb

SHA1
1c5542442b3c33dd9d6bdb05289311c42828900d

SHA256
18fb87700f530cb7f5d0f64f0d0cfb45d475e0ef32b05341d36fdefec41a7903

SHA512
055dd245f66ef48febfd4c8382be32e640b98f1c4b0f6dfd1c358c3cb5ee291533ee2f6daa3a96f678bbce6837fe3d2b4f6878f9bc5d54bc2b55da20611edd4e

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
67KB

MD5
d0d9e22d86b0aad7b5374ca2e77a5cfc

SHA1
62b19b3e57248e3c9f569bf5381da7249fd9d9c1

SHA256
75157247f43375d3db6e13dc3fa0bd9f0579689b72acd48833839a8d004c4f8b

SHA512
170c3d1a7a2c0d92efa0cd3f386a6fc7b709519a3295d03836a562aa17f7256126a8596915ddb489a8e1c2e1cbebb71d9084f4c3ce25e493bbfb711d24ed828b

Download Submit
memory/116-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/212-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/220-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/332-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/400-563-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-597-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/632-582-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/632-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/736-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/868-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/960-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1004-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1040-571-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1040-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1164-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1476-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1476-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1580-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1680-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1724-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1728-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1728-562-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1752-320-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1788-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1944-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2072-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2084-458-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2252-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2272-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-308-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2376-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2480-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-550-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2840-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2856-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2880-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2884-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2896-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2984-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3016-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-76-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3140-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3220-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3224-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3260-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3296-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3312-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3316-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3324-599-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3324-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3336-537-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3372-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3372-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3484-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3548-506-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3676-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3724-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3920-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3924-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3924-589-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3988-525-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4052-302-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4076-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4240-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4284-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4324-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4376-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4380-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4616-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4640-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4656-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4720-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4744-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-219-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4840-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4964-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5016-100-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-452-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5064-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5104-212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5108-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5144-569-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5188-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5232-584-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5276-590-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5316-598-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads