d7edb7e39d22f92ae9860a32cb2d3fcfd53a4a6950e45ab9ab3df4a0aac8bbce

Analysis

max time kernel
114s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6c67ad602ba62ec75209f276998dd00N.exe
Size

386KB
MD5

c6c67ad602ba62ec75209f276998dd00
SHA1

10101c617c9c7d3f8f61f27321cdfecd2c5d0f13
SHA256

d7edb7e39d22f92ae9860a32cb2d3fcfd53a4a6950e45ab9ab3df4a0aac8bbce
SHA512

890678c62257684a63897cd8f3768f0c6e6b0742a86179dd94a85781e2e0e80ac99982e290b41a38e080aeb7f3b361ee78404859bb836375d0d6de3f555772dd
SSDEEP

12288:6nnEbhx3/wQZ7287xmPFRkfJg9qwQZ7287xmP:JbhxPZZ/aFKm9qZZ/a

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odljjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mklfjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nheqnpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bipnihgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dlncla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaqcnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfpghccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aiabhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mklfjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcidopb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbddobla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amoknh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbhbbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpnpqakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aioebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beoimjce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncmaai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnjbdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blgddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcbeqaia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbaehl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepadh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bliajd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nheqnpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poidhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cleqfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c6c67ad602ba62ec75209f276998dd00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlemcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cplckbmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcicjbal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bliajd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clijablo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmaai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpchaqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pofhbgmn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgqie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apgqie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aioebj32.exe

Executes dropped EXE 64 IoCs

pid	Process
3616	Jjgkab32.exe
2700	Jaqcnl32.exe
4604	Jeolckne.exe
4352	Jeaiij32.exe
764	Jlkafdco.exe
412	Koljgppp.exe
2324	Kdhbpf32.exe
1800	Kongmo32.exe
4616	Kbnlim32.exe
5100	Lacijjgi.exe
3504	Logicn32.exe
5068	Leabphmp.exe
1188	Lknjhokg.exe
4976	Llpchaqg.exe
3860	Lehhqg32.exe
3628	Mlbpma32.exe
4840	Mlemcq32.exe
3920	Mkgmoncl.exe
1000	Mklfjm32.exe
1020	Mebkge32.exe
1200	Mcfkpjng.exe
1920	Mdghhb32.exe
1892	Nheqnpjk.exe
4544	Nlcidopb.exe
4308	Ncmaai32.exe
4988	Nfnjbdep.exe
1828	Nbdkhe32.exe
1608	Nfpghccm.exe
2908	Ohqpjo32.exe
3704	Ookhfigk.exe
3176	Ochamg32.exe
4048	Odljjo32.exe
4928	Oflfdbip.exe
620	Pijcpmhc.exe
4864	Pfncia32.exe
1512	Pmhkflnj.exe
4812	Pofhbgmn.exe
1072	Pbddobla.exe
1480	Poidhg32.exe
3052	Piaiqlak.exe
2152	Pkoemhao.exe
2168	Pmoagk32.exe
2316	Pomncfge.exe
916	Qmanljfo.exe
1916	Qkdohg32.exe
2108	Qelcamcj.exe
1172	Qmckbjdl.exe
4464	Qcncodki.exe
1328	Aeopfl32.exe
4624	Apddce32.exe
4972	Aealll32.exe
3672	Apgqie32.exe
64	Aioebj32.exe
224	Apimodmh.exe
2104	Aiabhj32.exe
884	Alpnde32.exe
4136	Acgfec32.exe
1848	Amoknh32.exe
4644	Bcicjbal.exe
3552	Bldgoeog.exe
5160	Bemlhj32.exe
5216	Blgddd32.exe
5280	Beoimjce.exe
5336	Bliajd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Koljgppp.exe	Jlkafdco.exe
File created	C:\Windows\SysWOW64\Codncb32.dll	Nfnjbdep.exe
File created	C:\Windows\SysWOW64\Debnjgcp.exe	Clijablo.exe
File created	C:\Windows\SysWOW64\Nfnjbdep.exe	Ncmaai32.exe
File opened for modification	C:\Windows\SysWOW64\Nfnjbdep.exe	Ncmaai32.exe
File opened for modification	C:\Windows\SysWOW64\Amoknh32.exe	Acgfec32.exe
File created	C:\Windows\SysWOW64\Bipnihgi.exe	Bcbeqaia.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dlncla32.exe
File created	C:\Windows\SysWOW64\Pkoemhao.exe	Piaiqlak.exe
File created	C:\Windows\SysWOW64\Khhmbdka.dll	Pmoagk32.exe
File created	C:\Windows\SysWOW64\Qkdohg32.exe	Qmanljfo.exe
File opened for modification	C:\Windows\SysWOW64\Aioebj32.exe	Apgqie32.exe
File opened for modification	C:\Windows\SysWOW64\Logicn32.exe	Lacijjgi.exe
File created	C:\Windows\SysWOW64\Qmckbjdl.exe	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Fbelak32.dll	Cepadh32.exe
File created	C:\Windows\SysWOW64\Gdojoeki.dll	Ookhfigk.exe
File opened for modification	C:\Windows\SysWOW64\Odljjo32.exe	Ochamg32.exe
File created	C:\Windows\SysWOW64\Pofhbgmn.exe	Pmhkflnj.exe
File created	C:\Windows\SysWOW64\Cbaehl32.exe	Cfjeckpj.exe
File created	C:\Windows\SysWOW64\Dapijd32.dll	Piaiqlak.exe
File created	C:\Windows\SysWOW64\Jlkafdco.exe	Jeaiij32.exe
File created	C:\Windows\SysWOW64\Najlgpeb.dll	Leabphmp.exe
File opened for modification	C:\Windows\SysWOW64\Lehhqg32.exe	Llpchaqg.exe
File opened for modification	C:\Windows\SysWOW64\Mcfkpjng.exe	Mebkge32.exe
File created	C:\Windows\SysWOW64\Ohqpjo32.exe	Nfpghccm.exe
File opened for modification	C:\Windows\SysWOW64\Cleqfb32.exe	Cifdjg32.exe
File opened for modification	C:\Windows\SysWOW64\Leabphmp.exe	Logicn32.exe
File created	C:\Windows\SysWOW64\Dedkogqm.exe	Debnjgcp.exe
File created	C:\Windows\SysWOW64\Qmanljfo.exe	Pomncfge.exe
File opened for modification	C:\Windows\SysWOW64\Bldgoeog.exe	Bcicjbal.exe
File created	C:\Windows\SysWOW64\Cleqfb32.exe	Cifdjg32.exe
File created	C:\Windows\SysWOW64\Efhbch32.dll	c6c67ad602ba62ec75209f276998dd00N.exe
File created	C:\Windows\SysWOW64\Mdghhb32.exe	Mcfkpjng.exe
File opened for modification	C:\Windows\SysWOW64\Pofhbgmn.exe	Pmhkflnj.exe
File opened for modification	C:\Windows\SysWOW64\Pbddobla.exe	Pofhbgmn.exe
File created	C:\Windows\SysWOW64\Pijcpmhc.exe	Oflfdbip.exe
File created	C:\Windows\SysWOW64\Dodipp32.dll	Jaqcnl32.exe
File created	C:\Windows\SysWOW64\Ndnoffic.dll	Koljgppp.exe
File created	C:\Windows\SysWOW64\Nlcidopb.exe	Nheqnpjk.exe
File created	C:\Windows\SysWOW64\Odljjo32.exe	Ochamg32.exe
File opened for modification	C:\Windows\SysWOW64\Alpnde32.exe	Aiabhj32.exe
File created	C:\Windows\SysWOW64\Eobepglo.dll	Aiabhj32.exe
File created	C:\Windows\SysWOW64\Kongimkh.dll	Jjgkab32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbpf32.exe	Koljgppp.exe
File created	C:\Windows\SysWOW64\Fooqlnoa.dll	Lacijjgi.exe
File created	C:\Windows\SysWOW64\Aeopfl32.exe	Qcncodki.exe
File created	C:\Windows\SysWOW64\Edkakncg.dll	Nheqnpjk.exe
File created	C:\Windows\SysWOW64\Bldgoeog.exe	Bcicjbal.exe
File created	C:\Windows\SysWOW64\Jaepkejo.dll	Cfjeckpj.exe
File created	C:\Windows\SysWOW64\Dfidek32.dll	Lehhqg32.exe
File created	C:\Windows\SysWOW64\Boipkd32.dll	Bemlhj32.exe
File created	C:\Windows\SysWOW64\Aofbkbfe.dll	Pijcpmhc.exe
File created	C:\Windows\SysWOW64\Elgide32.dll	Bcbeqaia.exe
File created	C:\Windows\SysWOW64\Ndfchkio.dll	Cplckbmc.exe
File opened for modification	C:\Windows\SysWOW64\Debnjgcp.exe	Clijablo.exe
File opened for modification	C:\Windows\SysWOW64\Koljgppp.exe	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Nbdkhe32.exe	Nfnjbdep.exe
File created	C:\Windows\SysWOW64\Ochamg32.exe	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Chdjpphi.dll	Ochamg32.exe
File opened for modification	C:\Windows\SysWOW64\Llpchaqg.exe	Lknjhokg.exe
File opened for modification	C:\Windows\SysWOW64\Mdghhb32.exe	Mcfkpjng.exe
File created	C:\Windows\SysWOW64\Hpacoj32.dll	Pofhbgmn.exe
File opened for modification	C:\Windows\SysWOW64\Bliajd32.exe	Beoimjce.exe
File created	C:\Windows\SysWOW64\Mlemcq32.exe	Mlbpma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5560	5364	WerFault.exe	181

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbdkhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfpghccm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alpnde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acgfec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpnpqakp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mklfjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmaai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ochamg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijcpmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookhfigk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blgddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beoimjce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cifdjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohqpjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhkflnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apimodmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kongmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfncia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofhbgmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bemlhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mebkge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blknpdho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcbeqaia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clijablo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomncfge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcicjbal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odljjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piaiqlak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cleqfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koljgppp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcidopb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lehhqg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qelcamcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Debnjgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6c67ad602ba62ec75209f276998dd00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcncodki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgqie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbaehl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlncla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfnjbdep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkdohg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiabhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlbpma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bliajd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbhbbn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfkpjng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dedkogqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpchaqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cplckbmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amoknh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bldgoeog.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacmli32.dll"	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dlncla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbelak32.dll"	Cepadh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bipnihgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcicjbal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgide32.dll"	Bcbeqaia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecnjaee.dll"	Cleqfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apgqie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbhbbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cplckbmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acgfec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clpgkcdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Debnjgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaqcnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llpchaqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpacoj32.dll"	Pofhbgmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdojoeki.dll"	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abggif32.dll"	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpnpqakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nheqnpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapijd32.dll"	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjdhm32.dll"	Apgqie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Poidhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cehlcikj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqkiecpd.dll"	Aioebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqbolk32.dll"	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhmbdka.dll"	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmccbngq.dll"	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aahgec32.dll"	Beoimjce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	c6c67ad602ba62ec75209f276998dd00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jeolckne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpkdlkd.dll"	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cplckbmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dlncla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddogn32.dll"	Pbddobla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apimodmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beoimjce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpnpqakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfpghccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pofhbgmn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 720 wrote to memory of 3616	720	c6c67ad602ba62ec75209f276998dd00N.exe	91
PID 720 wrote to memory of 3616	720	c6c67ad602ba62ec75209f276998dd00N.exe	91
PID 720 wrote to memory of 3616	720	c6c67ad602ba62ec75209f276998dd00N.exe	91
PID 3616 wrote to memory of 2700	3616	Jjgkab32.exe	92
PID 3616 wrote to memory of 2700	3616	Jjgkab32.exe	92
PID 3616 wrote to memory of 2700	3616	Jjgkab32.exe	92
PID 2700 wrote to memory of 4604	2700	Jaqcnl32.exe	93
PID 2700 wrote to memory of 4604	2700	Jaqcnl32.exe	93
PID 2700 wrote to memory of 4604	2700	Jaqcnl32.exe	93
PID 4604 wrote to memory of 4352	4604	Jeolckne.exe	94
PID 4604 wrote to memory of 4352	4604	Jeolckne.exe	94
PID 4604 wrote to memory of 4352	4604	Jeolckne.exe	94
PID 4352 wrote to memory of 764	4352	Jeaiij32.exe	95
PID 4352 wrote to memory of 764	4352	Jeaiij32.exe	95
PID 4352 wrote to memory of 764	4352	Jeaiij32.exe	95
PID 764 wrote to memory of 412	764	Jlkafdco.exe	96
PID 764 wrote to memory of 412	764	Jlkafdco.exe	96
PID 764 wrote to memory of 412	764	Jlkafdco.exe	96
PID 412 wrote to memory of 2324	412	Koljgppp.exe	97
PID 412 wrote to memory of 2324	412	Koljgppp.exe	97
PID 412 wrote to memory of 2324	412	Koljgppp.exe	97
PID 2324 wrote to memory of 1800	2324	Kdhbpf32.exe	99
PID 2324 wrote to memory of 1800	2324	Kdhbpf32.exe	99
PID 2324 wrote to memory of 1800	2324	Kdhbpf32.exe	99
PID 1800 wrote to memory of 4616	1800	Kongmo32.exe	101
PID 1800 wrote to memory of 4616	1800	Kongmo32.exe	101
PID 1800 wrote to memory of 4616	1800	Kongmo32.exe	101
PID 4616 wrote to memory of 5100	4616	Kbnlim32.exe	102
PID 4616 wrote to memory of 5100	4616	Kbnlim32.exe	102
PID 4616 wrote to memory of 5100	4616	Kbnlim32.exe	102
PID 5100 wrote to memory of 3504	5100	Lacijjgi.exe	103
PID 5100 wrote to memory of 3504	5100	Lacijjgi.exe	103
PID 5100 wrote to memory of 3504	5100	Lacijjgi.exe	103
PID 3504 wrote to memory of 5068	3504	Logicn32.exe	104
PID 3504 wrote to memory of 5068	3504	Logicn32.exe	104
PID 3504 wrote to memory of 5068	3504	Logicn32.exe	104
PID 5068 wrote to memory of 1188	5068	Leabphmp.exe	106
PID 5068 wrote to memory of 1188	5068	Leabphmp.exe	106
PID 5068 wrote to memory of 1188	5068	Leabphmp.exe	106
PID 1188 wrote to memory of 4976	1188	Lknjhokg.exe	107
PID 1188 wrote to memory of 4976	1188	Lknjhokg.exe	107
PID 1188 wrote to memory of 4976	1188	Lknjhokg.exe	107
PID 4976 wrote to memory of 3860	4976	Llpchaqg.exe	108
PID 4976 wrote to memory of 3860	4976	Llpchaqg.exe	108
PID 4976 wrote to memory of 3860	4976	Llpchaqg.exe	108
PID 3860 wrote to memory of 3628	3860	Lehhqg32.exe	109
PID 3860 wrote to memory of 3628	3860	Lehhqg32.exe	109
PID 3860 wrote to memory of 3628	3860	Lehhqg32.exe	109
PID 3628 wrote to memory of 4840	3628	Mlbpma32.exe	110
PID 3628 wrote to memory of 4840	3628	Mlbpma32.exe	110
PID 3628 wrote to memory of 4840	3628	Mlbpma32.exe	110
PID 4840 wrote to memory of 3920	4840	Mlemcq32.exe	111
PID 4840 wrote to memory of 3920	4840	Mlemcq32.exe	111
PID 4840 wrote to memory of 3920	4840	Mlemcq32.exe	111
PID 3920 wrote to memory of 1000	3920	Mkgmoncl.exe	112
PID 3920 wrote to memory of 1000	3920	Mkgmoncl.exe	112
PID 3920 wrote to memory of 1000	3920	Mkgmoncl.exe	112
PID 1000 wrote to memory of 1020	1000	Mklfjm32.exe	113
PID 1000 wrote to memory of 1020	1000	Mklfjm32.exe	113
PID 1000 wrote to memory of 1020	1000	Mklfjm32.exe	113
PID 1020 wrote to memory of 1200	1020	Mebkge32.exe	114
PID 1020 wrote to memory of 1200	1020	Mebkge32.exe	114
PID 1020 wrote to memory of 1200	1020	Mebkge32.exe	114
PID 1200 wrote to memory of 1920	1200	Mcfkpjng.exe	115

C:\Users\Admin\AppData\Local\Temp\c6c67ad602ba62ec75209f276998dd00N.exe
"C:\Users\Admin\AppData\Local\Temp\c6c67ad602ba62ec75209f276998dd00N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:720
- C:\Windows\SysWOW64\Jjgkab32.exe
  C:\Windows\system32\Jjgkab32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\SysWOW64\Jaqcnl32.exe
    C:\Windows\system32\Jaqcnl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\Jeolckne.exe
      C:\Windows\system32\Jeolckne.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4604
    - - C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
      - C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Llpchaqg.exe
        
        C:\Windows\system32\Llpchaqg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Lehhqg32.exe
        
        C:\Windows\system32\Lehhqg32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Mlbpma32.exe
        
        C:\Windows\system32\Mlbpma32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Mkgmoncl.exe
        
        C:\Windows\system32\Mkgmoncl.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\Alpnde32.exe
        
        C:\Windows\system32\Alpnde32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\Acgfec32.exe
        
        C:\Windows\system32\Acgfec32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Amoknh32.exe
        
        C:\Windows\system32\Amoknh32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\Bcicjbal.exe
        
        C:\Windows\system32\Bcicjbal.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Bldgoeog.exe
        
        C:\Windows\system32\Bldgoeog.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Blgddd32.exe
        
        C:\Windows\system32\Blgddd32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Beoimjce.exe
        
        C:\Windows\system32\Beoimjce.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Bcpika32.exe
        
        C:\Windows\system32\Bcpika32.exe
        66⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Blknpdho.exe
        
        C:\Windows\system32\Blknpdho.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Bcbeqaia.exe
        
        C:\Windows\system32\Bcbeqaia.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Bipnihgi.exe
        
        C:\Windows\system32\Bipnihgi.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Bmkjig32.exe
        
        C:\Windows\system32\Bmkjig32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Cbhbbn32.exe
        
        C:\Windows\system32\Cbhbbn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        72⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        74⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Cpnpqakp.exe
        
        C:\Windows\system32\Cpnpqakp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Cifdjg32.exe
        
        C:\Windows\system32\Cifdjg32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Cleqfb32.exe
        
        C:\Windows\system32\Cleqfb32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        78⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\Cepadh32.exe
        
        C:\Windows\system32\Cepadh32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Dedkogqm.exe
        
        C:\Windows\system32\Dedkogqm.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Dlncla32.exe
        
        C:\Windows\system32\Dlncla32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5364 -s 412
        86⤵
        Program crash
        
        PID:5560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5364 -ip 5364
1⤵
PID:5456

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
1⤵
PID:5452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Apddce32.exe

Filesize
386KB

MD5
575a14ea0ed0f8b2ef3aa52285827a76

SHA1
731e430ba037317ae2faebc6ae919c49ac1bd053

SHA256
fd61e526542fd271a54df53a92e9a42dc15ca7c5f18b26adfd5a021b8aa3f2f9

SHA512
6536732af922b9ade4053110f1215795fa30591a74b275e721b66ff95887dc4051f1bd3b0dd9a29d7679dd212ca023b4a9b70b9b0dd42fafe2425356588b5aa9

Download Submit
C:\Windows\SysWOW64\Apgqie32.exe

Filesize
386KB

MD5
a26beab868e562d06be98862363dd0cd

SHA1
b506ab2fef9093ab8248d6715421b8b5927eefbd

SHA256
d21eb5b7ea91a52d8eec20988813e89cf1dcc214026bc7009cf1b75071416544

SHA512
4db99886ddba488f7e78254057a06af7777d6b58e820d51dc8f2215d5365fdb888669704bdc88686ba9d8562e9ca6854c856495d15502329c733c80aa5a40c35

Download Submit
C:\Windows\SysWOW64\Bldgoeog.exe

Filesize
386KB

MD5
8fe976fbbd3fe19951a8ac91ed1fc0af

SHA1
8e47abfb7d4cc18c61335ada4af114802f344818

SHA256
243e3ee849fa675e58e902ae2f59645df4335504bdcbd70c0d8b22644a215531

SHA512
385f79da495307eaf63ceb59589f839da044db58ff14d8c5030ef749271b74a61080ee6cdcd4db68c4dcde48b991f6c0f90ba9cb29d6a87967c5a7ce79b515e7

Download Submit
C:\Windows\SysWOW64\Dcmnee32.dll

Filesize
7KB

MD5
a8d2edd8b824060e2bb57130672268d4

SHA1
b360aea45bcc12e2cf3f3a2c6433e2eeab4618b4

SHA256
2690125923448c9e17cf2ca2abe6c6ae1f2fed59d0987181641e0a881ffe5e2b

SHA512
2468a4eb3888b6ec94e3e86c3c0e1760c69e4b140d01c5dee9e45f8d8b24258d450cbbf67828a12e99930d0a5d92b4ebd86e3a7425b45078d755e3de6fe18f17

Download Submit
C:\Windows\SysWOW64\Jaqcnl32.exe

Filesize
386KB

MD5
4e303c5f4b074ae3ff0dc1d661615714

SHA1
ba45a0a90ff8101c3c86ea3fe1e5acde06ca5926

SHA256
c8ae6baa4ac925812671d8f6a9205ca8f6e51d8d3a2d181441b4d0d06ce64871

SHA512
4e6ffbf5d292dd36ba084a0c11f94817080e84d30652a5bc97650938fa35a41f393c90a70d2b131cf4ce9bb3cbbf3437d4820345964735d4605cea4645057d84

Download Submit
C:\Windows\SysWOW64\Jeaiij32.exe

Filesize
386KB

MD5
7badb16e4282b5aeb0d566740ec5e4c3

SHA1
d52ea317a1637ec94e9f1a3cb8b5a73ec361758b

SHA256
465d45a0ab5d33d21608aff5cc8da9218a8b1348b350296e3e3e3162292ce763

SHA512
39a0ea5634be82824ff22ad2b939688266119bc69f865b350d567fbfd7644f1dbf3c995ef384edfeccd000374384f25b0da196c8d27d43de6f24e0e078123d95

Download Submit
C:\Windows\SysWOW64\Jeolckne.exe

Filesize
386KB

MD5
c54bb3306bfc4d09827a71f2fd91288e

SHA1
bff0828c7049e7542cbef6f191b7147f3627f239

SHA256
65f8569b12e306a1af34f0dd66696fb0f172bdb560140609122418e714a5e56c

SHA512
eba76e720dfd04f74f17858c03cce3c1eb9a57a960a3e84fb3d32d63de0b55dc28bd02aa81d71f228f83201364b0e74da282119aeb7ceca45ddc4757d9640dc7

Download Submit
C:\Windows\SysWOW64\Jjgkab32.exe

Filesize
386KB

MD5
ec5410f4ac3bb9eb6de8f43a78b58ff0

SHA1
59b4935887e1485471290f5d78cdd77820edb7ef

SHA256
da30f27e220ebb468ce98071789ba1c1270a24bc5331b5add6f63b614cd92baf

SHA512
a7b05350abc27b55ca60ec820edeeef8a25d9a49766841eeed47cadf47a864614a962a0926dd90e1035929cdb09b998351c323acc3f430726266d0db9cb3466c

Download Submit
C:\Windows\SysWOW64\Jlkafdco.exe

Filesize
386KB

MD5
c65990902c974d708874b803ef5849c6

SHA1
74c87f7c5a8d54706ffcb5bbf48df7e7caf35492

SHA256
41bb32534a40cf91a029aa6a485312019e51ab5ef005b766e78ff47c060df4c6

SHA512
bb2c9810b5a3a047ce9f192ba5edf919aac53378584f79d1c65639c932d7451d36c914fe28aca79dc766e86e21ec592e7d03213f0c27d074697e8289f1941ae1

Download Submit
C:\Windows\SysWOW64\Kbnlim32.exe

Filesize
386KB

MD5
d8acc0f44d68b3ddae30efd1f400d7cf

SHA1
f0eb6535357d4eb61c83d514ca6472cba36f2601

SHA256
eab120dcb5f9893bb89df7e291a40866e235e6a7898eb10c680aef3c4561d077

SHA512
2ef44c4058dcabd6c7be320eb77a54137efa3cfab30eb5a21a40e9fe7e72886219859366fa62c52176e794f1af10fec1eef3f4b49787d520cca63bad8abeb334

Download Submit
C:\Windows\SysWOW64\Kdhbpf32.exe

Filesize
386KB

MD5
bacc96799043d5e579e84c2b35b08f77

SHA1
7e79f0fe5840ad221304ddc74919eb766173b2fe

SHA256
9fd333f3034a28a7c0968bb89a6a4c0d2960366cda2773716429ac82d1de645d

SHA512
ff3c344704bfc55ca2faa716686642f08b06e9f6104ddc31d4fdc3dfa05b8aa03b80af0e7b57ce1fef38f1cb77b44538f2b923ab7b393ea868788587913ca3d8

Download Submit
C:\Windows\SysWOW64\Koljgppp.exe

Filesize
386KB

MD5
a1b8d248c37603e3a68bb1bed7b42502

SHA1
893be66fb0f2ef1822d0e87cf42743af5582982b

SHA256
cb6f0b08cce2d78119f183067a59c2265d7f0d48dd5143b0f51e320369f2b36a

SHA512
514c458ba962d95f388f924b0d8a769ced1956810cb94c5f452e495b74fece3975100bd2f429ee3a54618aed8dff15813cfaa49a2b1f274b7a548bb9b06dc169

Download Submit
C:\Windows\SysWOW64\Kongmo32.exe

Filesize
386KB

MD5
91834b46375a503c460135d383ddb5a3

SHA1
af4afbc071a1d41e0dabf7be95a8c949ff165cc6

SHA256
5dd19779d6671d17a9d2b63f8b2f4a4d35345d0acc8aaa5fe9456b592efcb866

SHA512
84c03a357f4de0af4360d2a7efc65e9b96768fd767869dab19066d92689013bd69515ea6ccdcc75f49ffaceb0a23df7db1cadf8ff21954490d2d7c5c70772abe

Download Submit
C:\Windows\SysWOW64\Lacijjgi.exe

Filesize
386KB

MD5
4c3f59d0600dd78603342602891f7254

SHA1
b0850080126c4ce07d041346a5ee0dcb24669dda

SHA256
a5a36ac8830e099da07d8f3a584d597cff3f69a37254f50868698b4ab394a755

SHA512
d70a0fd8f38ab34118e8159dffbda0d4c0b39cc546b45b746750c0738c3cc24d479ee0d895f8569710dca40b616dc5de39061915c8e2bd43d034dd144944749b

Download Submit
C:\Windows\SysWOW64\Leabphmp.exe

Filesize
386KB

MD5
517c5a3838c8913f49334e1e24a4da48

SHA1
d007025904c89aba60e67c394e0858bee00880a5

SHA256
071eca88d7fa4f98b1ac1daf39dd4471c5d88a55c0199725c3a77bcfc7b3ab79

SHA512
365c3dacd275e56f226c5c4efe63fbc241d2ed1b5f81e518fc499949c8c22423fde8ad90f4e035dc81fe4eb3858e323346abcdbddc8252e6aacc03e230fd4be3

Download Submit
C:\Windows\SysWOW64\Lehhqg32.exe

Filesize
386KB

MD5
8b378ba93dc3e7a0aa2a6e7a48656cfc

SHA1
c2dcb895644e5a63a133baa81ffbc881dcca444f

SHA256
8a02e5efddbe8fe9325373a32126f59ab0932289b145c58f1fecb81d94dc2db5

SHA512
cc77818ac6ec07e2ea46ddc102661bfb51bf3d53ad8934262f273645a8396e3bde871f4d080c8dcbbd578078b0b674adf8cbf87f7e9bbc7051b4ff86fefbae6c

Download Submit
C:\Windows\SysWOW64\Lknjhokg.exe

Filesize
386KB

MD5
882017e1894afa20dbe48589c5691b3b

SHA1
a9b3fe8f1a121ab70314d57b5f2c71064386fca5

SHA256
1052ad55cf28e88665acbc2aa769e027959714a4079ee6d72dd31d33ac02c550

SHA512
e50096d0ef9c5892d9ca9be6b04d03e3672bea3a54f28d93c8b47df6d1a8fe04be25b6e1b183e2b250a396c157625c788ee0afb6ee8bc2e5065be068b10be464

Download Submit
C:\Windows\SysWOW64\Llpchaqg.exe

Filesize
386KB

MD5
1fe8ce210f4c82a82d390fb9d5ba0eeb

SHA1
41efd2a985bb1c9d447c74a6112e2108168ee5b1

SHA256
5b33e1efefcca5fd58dc58589315c48500b89e3c27b4524dc3fd86c70f27bc3b

SHA512
15087d4c454ad4afee72299f9f988948ba53b1b8ee8ec1c1408a616e0d2a866076baa394fd0055aded3a3e3dfff5c1c75939bca8fe44e9a0007f125e71921a6b

Download Submit
C:\Windows\SysWOW64\Logicn32.exe

Filesize
386KB

MD5
8d95c87add24b664fb70cc0dd230dcdb

SHA1
8434be65f741706b6bae9ef909a332be3450d856

SHA256
58675a201570a28e2ef3bd63d1bb8c8419ddd102e795b6db0799f36cfdb5e34f

SHA512
fbed9ecb96d02d3274ec64bea2e8de26524ffe6d9c1409d1fe46330e67a11523fa7ac3babc46d34ee08b4a4991e6545273d2a94af02fa58cce64f3174f0f0330

Download Submit
C:\Windows\SysWOW64\Mcfkpjng.exe

Filesize
386KB

MD5
c498f018e24b6f7346c1035701e60f84

SHA1
05dc17ee501dd4c668dda2fad0ea471925afac04

SHA256
595c27257e8773804e6a33d280ae869e4e8d8b1a9c628d51bb59c78053453661

SHA512
4103912c1378eb65660da27040c43d99ef61b38e93c794c31c86e5faedb7f0e6c15828686057ce7a38ceffe5e37454e4b4866e2305f4205cb7c0f9e4550b415a

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
386KB

MD5
c6c8d057997858629f43df5d910bc990

SHA1
ab7258599c9bca2c2825b007061f1becbebc7e3d

SHA256
fb604251ae6e766e4a986d70054871770ec0de0b0e3bb37c7c5e76ad16f00c0a

SHA512
8e4d1e87e82e1bb23bf132584de837c526e364afa8a5fb31ff6d8ad98033cf6729e8639d530cc712323349198ef886b6b02595d4ab7b06db046296750caed499

Download Submit
C:\Windows\SysWOW64\Mebkge32.exe

Filesize
386KB

MD5
962a69b48ae4a8bef55e37f41c2190bd

SHA1
14e41c1fa401c602228cb60bf0812e542aa0f161

SHA256
7b33f939909b49d86b0281e08ed77673b47f55336afc67da62274297e1d562e9

SHA512
22b2ea1beb5bb1b85fe98bab1c61b059761fca27dfd2fcd8b2a601583027a98fc9c53f8fec48db0ef8e715366b5f44e6af0ba603ca57859355a464163a87894c

Download Submit
C:\Windows\SysWOW64\Mkgmoncl.exe

Filesize
386KB

MD5
71251ce8d9d03ee0c3e2afad52aeb908

SHA1
d6b289da503ac7242482029003df49c66d847467

SHA256
643c07d52bb5e98d84d94ff3de8c3844c3f7c06ad2dcbd89507df1d1f8b4e681

SHA512
d22cf5890ad50d245517f165ed5b4418389251dd3bbf9dff17fde60f4d8bdc37744d5db05c49d4ac203f7dcd00337c8ad11619d9e50aad1d0a90cb4d8881ac66

Download Submit
C:\Windows\SysWOW64\Mklfjm32.exe

Filesize
386KB

MD5
7eef855ea4a3994336f82d8b6948c38a

SHA1
17acd4d1afe8ce3712a7a61d5c98d766c3c3928d

SHA256
ffc21d86471bb181d0777835bb7140cb944fd83c6aca7d21e96451b16a371f20

SHA512
0a40b1721972763ffe42343859d6b73789ca24023900074d7cc2600b445a85801e68ef372034048be3e85a5a70c8bc153cdad9c26bfca9e86585180d9a49e4b7

Download Submit
C:\Windows\SysWOW64\Mlbpma32.exe

Filesize
386KB

MD5
cf588f39c038d78cf097babebd5e3df1

SHA1
99f3ef7faf06aa15f68fc5206f9a1e9dcaf6a58f

SHA256
ed5d48e3a42eff91819b75f61cf4a162ba79c0bfa28fb2e4ad178fd1cdbf0154

SHA512
4e9b4c4ad2cc9d24d3c47f8b3a2baf307f3fd5da4356c86a3213a6b54c0dfa445cbd13050594b27291f395edb7102aef25060f6066cad4617c7e778d129edbd5

Download Submit
C:\Windows\SysWOW64\Mlemcq32.exe

Filesize
386KB

MD5
7f12446c0096a22b4cb83a8169013b03

SHA1
f39590c4d9684151e7e943135ebc43dd74ba0925

SHA256
ff90d1baffd69b44fb9ea35d2501280d1893d87e86a4f4505879169a908c780e

SHA512
9a803b11748591343a8501b6ee638c68259da775b116012239ec3f7618f9905c1a61642ffbe02fd3c26469c91e8fb28091b343d7eb5b813b2816e3f96d7c8fc2

Download Submit
C:\Windows\SysWOW64\Nbdkhe32.exe

Filesize
386KB

MD5
141f2470c8776dffadf4edc8a7a4bbc1

SHA1
e4c14117f3e2bb05f2919c87160b06285dab01e6

SHA256
0f41072a69b09d4bce2702aea3b1d4efec193c194680190fd7f57c705278cfe7

SHA512
03341e5a5a2614bdb2091580854bd46387d6cb7b64c11a95f6c0cda13a49b54f9bd699dcfaafa90d3bde539bd880d626f48a7bba8871c6c831b6041db3d4733c

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
386KB

MD5
827ae82b7de639188deca2120973e912

SHA1
d8e056ad5d487259b003f39944b36acc815b32c4

SHA256
a2ec440bfb1eb0a8ad5cc0ae48ca65691839b8714d1da67cb65e4efddfb6986c

SHA512
79cda8328ab7817d9776218b05cdb995123ffe3fb19366440b0c96c116f4f375dfd78a00db82337b8f946ccb44742db0a8ae66b55d6eddf9d3a9b4bfc1a37d83

Download Submit
C:\Windows\SysWOW64\Nfnjbdep.exe

Filesize
386KB

MD5
9f46c7494ee70898fff478ebe90e6c12

SHA1
5bae7c9559b5abb24316943673a5e2f27aa40bfd

SHA256
080f51df4d2d5b06bf3584830518f451cd2843c3769c1b5f1c40172c197b1a44

SHA512
7f31146a42f50b3c80554d9f3103815a02670f1b90405864820acce3e6cadaff5aa1bd9904d4ae404bffa56ae36f31b91f2648e0daa7eaf674d8ffc31379eae6

Download Submit
C:\Windows\SysWOW64\Nfpghccm.exe

Filesize
386KB

MD5
ab18c69259fb6ed644038040432d7e83

SHA1
57ee7dfcb7709e6d740af3825a6272ae44acd168

SHA256
7cd1e4f7e7c95dfb5eb5b2f1ed4c8bc78d4d293112d86452339a43de134f80aa

SHA512
84e5aeb7168bb415a151b22c4d8f67401efd9dc86d142b4933325aa2583c123373c066d8cdf79806a314abae1d9e13da0288000cacdcb441e7af42a5552da187

Download Submit
C:\Windows\SysWOW64\Nheqnpjk.exe

Filesize
386KB

MD5
b24ba47ea488ea6ea05cdebd8c9c0781

SHA1
5d0625ad43b14bd8994f3ea3207138f8e3d50327

SHA256
dd915c709dacaf69cef899dba9f5a472362ee91ede402a7545a65b701fdfbe63

SHA512
a990f2d5750ee5c8df7e6748358b22303ab722a33c407fcfc10026f39487155c1db08a9faf4c84f984c106ae2179d578418430e7b395292d853a8ca83bc40525

Download Submit
C:\Windows\SysWOW64\Nlcidopb.exe

Filesize
386KB

MD5
823fc61e791c92b3a145c64815a93a29

SHA1
e2c752769fa247559371ec8e392c854923afcc17

SHA256
ae6aedc6692d243dd04d370ca5bc34d74a40cf6861696973348e283dbac5774e

SHA512
25eaa2af9c5aa52baf2923b88e2b3f69b855121eff6f3c5e78fec3c4d993c3df5aa52c32f70009f39838e73cf1cdf60f7d6bd331c158f1e9dab3ed5108369f63

Download Submit
C:\Windows\SysWOW64\Ochamg32.exe

Filesize
386KB

MD5
3a6d954bf435620fb59bc53ea327108d

SHA1
c90e01df59ec9030ae1142dd8e620cfcb5e1408e

SHA256
61b1113f74b290166f9233b7c7f6a60674b76f4205281a606869bd2654580a94

SHA512
fa60df1afbd20d5d6c6e96ca8996426716745b2edaac8f59fcab46404d92a48a8e065b39127749c927c332f09334a7fb941ec5c8ba53e7565bcda6c432b7a004

Download Submit
C:\Windows\SysWOW64\Odljjo32.exe

Filesize
386KB

MD5
f5564f86abeaef2c62ba994c926bb5d6

SHA1
ea5633422d93f1ebf309e43f19095a8244b13c31

SHA256
179cf2bd8a258666a323406f54863d4f4c2aa1b04a6d6165e20d7890153418d5

SHA512
dad2807294d4e59736b94f0294c647488d84356ed577c4eb5a88b8f133f3b0e7654675ef8e77f5edf38fea40e112f9d4c0919ec49219a04ee42ff7396704ed10

Download Submit
C:\Windows\SysWOW64\Ohqpjo32.exe

Filesize
386KB

MD5
12d127ee10a2fd8f996a0d889ce03603

SHA1
b63f5aa1c22da53139be4cf251d43a7beae8d19a

SHA256
e4b3f854aafcbd9639558b7761d210159a62529a2b7d739f27f90467fc0eed6c

SHA512
7fac3c8c82b325afebed43455f9a914532f5110485201e5fcfb564710632b51ec9542ba89e528cc437bc849444b13f7e42f52903d031136efa13b7e1f12e2146

Download Submit
C:\Windows\SysWOW64\Ookhfigk.exe

Filesize
386KB

MD5
97a55e7fe9e91759c6ef8f861aefa157

SHA1
6d2232d52524a87c9551b23dd7725f16e9a736a2

SHA256
d1f09c93c6fa86e8af7423046566b38b29a86a0bb39101175d924cb8a3163638

SHA512
1c48d239d53496b1be2e9b2c7c91a63a5af46b10287c9935f60f5cac4bdbff29f3314916d64be9b34d0a62d70d2ef7a0d788b3eec8184f43e754f39a5c139cba

Download Submit
C:\Windows\SysWOW64\Pmhkflnj.exe

Filesize
386KB

MD5
4637398ea26f3ac2d6d593c91aa6d5ca

SHA1
e059d3128c06bf9f0da3e9f7792131019fc1f29f

SHA256
13f686f906abe6cf99a77ef998079a84af636064181ef47b70fc5c8fd8a925a9

SHA512
f2eedf9ea174216b2a0ee4822a0b9559de8c3d5b578a5a61035f07ab1d5a68aa24438baf21295fdb0ce31833529601d99f18a02bc41fd78544304d49232fb819

Download Submit
memory/64-380-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/224-386-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/412-48-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/620-266-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/720-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/720-541-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/764-44-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/884-398-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/916-326-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1000-150-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1020-158-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1072-290-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1172-344-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1188-104-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1200-166-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1328-356-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1480-296-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1512-283-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1608-222-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1800-63-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1848-410-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1892-183-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1916-332-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1920-174-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2104-392-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2108-338-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2152-308-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2168-318-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2316-320-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2324-56-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2348-549-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2348-577-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2700-555-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2700-16-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2908-230-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3052-306-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3176-246-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3504-92-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3552-422-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3616-8-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3616-548-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3672-374-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3704-238-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3860-120-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3920-143-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4048-253-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4136-404-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4308-199-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4352-34-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4352-568-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4464-350-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4544-190-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4604-24-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4604-561-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4616-72-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4624-362-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4644-416-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4812-284-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4840-139-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4864-272-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4928-260-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4972-368-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4976-111-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4988-207-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5068-95-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5100-80-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5160-428-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5204-575-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5216-434-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5280-440-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5288-572-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5288-562-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5336-446-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5364-573-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5364-569-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5388-452-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5440-458-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5512-468-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5568-474-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5616-476-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5708-487-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5756-493-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5796-499-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5864-505-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5904-589-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5904-511-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5944-587-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5944-517-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5984-523-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5984-585-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/6024-529-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/6024-583-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/6064-539-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/6064-581-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/6104-579-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/6104-542-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads