fb8877b4caf85e8cbf91243fb9f5796e30dd788ee49da9b536261a9c1e51a76b

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c8191349d87993b10d397e4163b7d20N.exe
Size

128KB
MD5

7c8191349d87993b10d397e4163b7d20
SHA1

40dc37cd58166b88583ea9feedd4485887406b0f
SHA256

fb8877b4caf85e8cbf91243fb9f5796e30dd788ee49da9b536261a9c1e51a76b
SHA512

08efd55af58a35ef960e5015b254c996be5346b1fdb904428c0a2a6df5422fab6adfeed1e035edcc2b708f4b1420cbcf3702b5e3ecadf37bc06b11df88af1fe7
SSDEEP

3072:bPcJQZ2c8+KYsEXNjShiQCPxMeEvPOdgujv6NLPfFFrKP9:bH2wXdShrCJML3OdgawrFZKP

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lamlphoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nheqnpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkcmjlio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbbnbemf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aealll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odedipge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pokanf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlgbon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohqpjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pofhbgmn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qppkhfec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abcppq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhdggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7c8191349d87993b10d397e4163b7d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nconfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obidcdfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lamlphoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oohkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okolfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkhlcnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qifbll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obkahddl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oheienli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlefjnno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nofoki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbddobla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piolkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qifbll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qihoak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfkpjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Podkmgop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkhlcnb.exe

Executes dropped EXE 64 IoCs

pid	Process
784	Lhdggb32.exe
3024	Lamlphoo.exe
2324	Ldkhlcnb.exe
4332	Mkepineo.exe
3580	Maoifh32.exe
5012	Mcfkpjng.exe
928	Mdghhb32.exe
4176	Nlnpio32.exe
1936	Nchhfild.exe
4548	Nheqnpjk.exe
1992	Nkcmjlio.exe
2288	Ndlacapp.exe
4128	Napameoi.exe
880	Nlefjnno.exe
5116	Nconfh32.exe
740	Nbbnbemf.exe
4736	Nlgbon32.exe
2748	Nofoki32.exe
4716	Ohncdobq.exe
4340	Oohkai32.exe
3252	Obfhmd32.exe
4292	Odedipge.exe
3804	Ohqpjo32.exe
336	Okolfj32.exe
1716	Ookhfigk.exe
4596	Ocfdgg32.exe
3300	Obidcdfo.exe
4864	Ofdqcc32.exe
4508	Odgqopeb.exe
3220	Oloipmfd.exe
3644	Okailj32.exe
2400	Ochamg32.exe
2864	Obkahddl.exe
4356	Ofgmib32.exe
3880	Oheienli.exe
636	Omaeem32.exe
4156	Okceaikl.exe
1976	Oooaah32.exe
3832	Obnnnc32.exe
4988	Ofijnbkb.exe
600	Ohhfknjf.exe
4708	Omcbkl32.exe
4376	Ooangh32.exe
468	Ocmjhfjl.exe
5136	Oflfdbip.exe
5168	Pdngpo32.exe
5216	Pmeoqlpl.exe
5248	Podkmgop.exe
5296	Pcpgmf32.exe
5328	Pfncia32.exe
5376	Pdqcenmg.exe
5416	Pmhkflnj.exe
5456	Pofhbgmn.exe
5496	Pcbdcf32.exe
5536	Pbddobla.exe
5576	Pecpknke.exe
5608	Piolkm32.exe
5656	Pkmhgh32.exe
5692	Poidhg32.exe
5728	Pbgqdb32.exe
5772	Peempn32.exe
5808	Pmmeak32.exe
5856	Pkoemhao.exe
5896	Pokanf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mhinoa32.dll	Qckfid32.exe
File created	C:\Windows\SysWOW64\Ofijnbkb.exe	Obnnnc32.exe
File created	C:\Windows\SysWOW64\Nchhfild.exe	Nlnpio32.exe
File created	C:\Windows\SysWOW64\Inkqjp32.dll	Ochamg32.exe
File opened for modification	C:\Windows\SysWOW64\Ocmjhfjl.exe	Ooangh32.exe
File created	C:\Windows\SysWOW64\Pdngpo32.exe	Oflfdbip.exe
File opened for modification	C:\Windows\SysWOW64\Pdqcenmg.exe	Pfncia32.exe
File created	C:\Windows\SysWOW64\Qebeaf32.dll	Pcijce32.exe
File opened for modification	C:\Windows\SysWOW64\Qppkhfec.exe	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Gpdkpe32.dll	Ldkhlcnb.exe
File opened for modification	C:\Windows\SysWOW64\Piolkm32.exe	Pecpknke.exe
File created	C:\Windows\SysWOW64\Ifoglp32.dll	Aflpkpjm.exe
File created	C:\Windows\SysWOW64\Ohbikenl.dll	Ocmjhfjl.exe
File created	C:\Windows\SysWOW64\Oflfdbip.exe	Ocmjhfjl.exe
File created	C:\Windows\SysWOW64\Lbnjfh32.dll	Nlgbon32.exe
File created	C:\Windows\SysWOW64\Odpldj32.dll	Ofdqcc32.exe
File created	C:\Windows\SysWOW64\Lcoeiajc.dll	Pbddobla.exe
File created	C:\Windows\SysWOW64\Fddogn32.dll	Pkmhgh32.exe
File created	C:\Windows\SysWOW64\Dapijd32.dll	Pmmeak32.exe
File created	C:\Windows\SysWOW64\Kialcj32.dll	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Mqkbjk32.dll	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Omclnn32.dll	Nlefjnno.exe
File created	C:\Windows\SysWOW64\Cdkdne32.dll	Qfjcep32.exe
File created	C:\Windows\SysWOW64\Gdojoeki.dll	Okailj32.exe
File created	C:\Windows\SysWOW64\Hpacoj32.dll	Pcbdcf32.exe
File created	C:\Windows\SysWOW64\Bgcboj32.dll	Peempn32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkhlcnb.exe	Lamlphoo.exe
File created	C:\Windows\SysWOW64\Ocfdgg32.exe	Ookhfigk.exe
File opened for modification	C:\Windows\SysWOW64\Oheienli.exe	Ofgmib32.exe
File created	C:\Windows\SysWOW64\Coffcf32.dll	Lamlphoo.exe
File created	C:\Windows\SysWOW64\Aocdjq32.dll	Maoifh32.exe
File created	C:\Windows\SysWOW64\Odedipge.exe	Obfhmd32.exe
File created	C:\Windows\SysWOW64\Pmejnpqp.dll	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Mdghhb32.exe	Mcfkpjng.exe
File opened for modification	C:\Windows\SysWOW64\Pmeoqlpl.exe	Pdngpo32.exe
File opened for modification	C:\Windows\SysWOW64\Akihcfid.exe	Aijlgkjq.exe
File opened for modification	C:\Windows\SysWOW64\Obnnnc32.exe	Oooaah32.exe
File opened for modification	C:\Windows\SysWOW64\Pmhkflnj.exe	Pdqcenmg.exe
File opened for modification	C:\Windows\SysWOW64\Okolfj32.exe	Ohqpjo32.exe
File opened for modification	C:\Windows\SysWOW64\Nheqnpjk.exe	Nchhfild.exe
File opened for modification	C:\Windows\SysWOW64\Ndlacapp.exe	Nkcmjlio.exe
File created	C:\Windows\SysWOW64\Nbfndd32.dll	Oloipmfd.exe
File created	C:\Windows\SysWOW64\Pbddobla.exe	Pcbdcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeak32.exe	Peempn32.exe
File created	C:\Windows\SysWOW64\Ldkhlcnb.exe	Lamlphoo.exe
File created	C:\Windows\SysWOW64\Pehjfm32.exe	Pokanf32.exe
File created	C:\Windows\SysWOW64\Qelcamcj.exe	Qfjcep32.exe
File created	C:\Windows\SysWOW64\Gcdfnq32.dll	Ohqpjo32.exe
File created	C:\Windows\SysWOW64\Bqpqlhmf.dll	Pmeoqlpl.exe
File opened for modification	C:\Windows\SysWOW64\Qfjcep32.exe	Qckfid32.exe
File created	C:\Windows\SysWOW64\Alinebli.dll	7c8191349d87993b10d397e4163b7d20N.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmjlio.exe	Nheqnpjk.exe
File created	C:\Windows\SysWOW64\Obnnnc32.exe	Oooaah32.exe
File created	C:\Windows\SysWOW64\Ohhfknjf.exe	Ofijnbkb.exe
File created	C:\Windows\SysWOW64\Bbndhppc.dll	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Qpbgnecp.exe	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Maoifh32.exe	Mkepineo.exe
File created	C:\Windows\SysWOW64\Apddce32.exe	Akihcfid.exe
File opened for modification	C:\Windows\SysWOW64\Qelcamcj.exe	Qfjcep32.exe
File opened for modification	C:\Windows\SysWOW64\Ofdqcc32.exe	Obidcdfo.exe
File opened for modification	C:\Windows\SysWOW64\Obkahddl.exe	Ochamg32.exe
File created	C:\Windows\SysWOW64\Pqoppk32.dll	Ofijnbkb.exe
File created	C:\Windows\SysWOW64\Miiepfpf.dll	Ohhfknjf.exe
File created	C:\Windows\SysWOW64\Iipkfmal.dll	Poidhg32.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbnbemf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohqpjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omaeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okceaikl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piceflpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maoifh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndlacapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c8191349d87993b10d397e4163b7d20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obidcdfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgqopeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qelcamcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijlgkjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnpio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohncdobq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obkahddl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdngpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obfhmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nheqnpjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefjnno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookhfigk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoemhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qejfkmem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkhfec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qihoak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkcmjlio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbgnecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhdggb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkepineo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okailj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecpknke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjcep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Napameoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofoki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfgfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldkhlcnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oohkai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooangh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmeoqlpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poidhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qifbll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lamlphoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nconfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odedipge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okolfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofijnbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfncia32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpacoj32.dll"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhinoa32.dll"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqkbjk32.dll"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmpakdh.dll"	Nkcmjlio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndlacapp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkcmjlio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgnqacq.dll"	Oooaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pofhbgmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maoifh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdojoeki.dll"	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Poidhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kialcj32.dll"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conllp32.dll"	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7c8191349d87993b10d397e4163b7d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debaqh32.dll"	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqpqlhmf.dll"	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfncia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohncdobq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odgqopeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmejnpqp.dll"	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qppkhfec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiebmbnn.dll"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkbdql32.dll"	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	7c8191349d87993b10d397e4163b7d20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgoikbje.dll"	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omclnn32.dll"	Nlefjnno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchfjc32.dll"	Oohkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daliqjnc.dll"	Pokanf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qihoak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Napameoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omaeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abcppq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcgjl32.dll"	Apddce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okolfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ochamg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknmjgje.dll"	Abcppq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oohkai32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 784	2736	7c8191349d87993b10d397e4163b7d20N.exe	91
PID 2736 wrote to memory of 784	2736	7c8191349d87993b10d397e4163b7d20N.exe	91
PID 2736 wrote to memory of 784	2736	7c8191349d87993b10d397e4163b7d20N.exe	91
PID 784 wrote to memory of 3024	784	Lhdggb32.exe	92
PID 784 wrote to memory of 3024	784	Lhdggb32.exe	92
PID 784 wrote to memory of 3024	784	Lhdggb32.exe	92
PID 3024 wrote to memory of 2324	3024	Lamlphoo.exe	93
PID 3024 wrote to memory of 2324	3024	Lamlphoo.exe	93
PID 3024 wrote to memory of 2324	3024	Lamlphoo.exe	93
PID 2324 wrote to memory of 4332	2324	Ldkhlcnb.exe	94
PID 2324 wrote to memory of 4332	2324	Ldkhlcnb.exe	94
PID 2324 wrote to memory of 4332	2324	Ldkhlcnb.exe	94
PID 4332 wrote to memory of 3580	4332	Mkepineo.exe	95
PID 4332 wrote to memory of 3580	4332	Mkepineo.exe	95
PID 4332 wrote to memory of 3580	4332	Mkepineo.exe	95
PID 3580 wrote to memory of 5012	3580	Maoifh32.exe	96
PID 3580 wrote to memory of 5012	3580	Maoifh32.exe	96
PID 3580 wrote to memory of 5012	3580	Maoifh32.exe	96
PID 5012 wrote to memory of 928	5012	Mcfkpjng.exe	97
PID 5012 wrote to memory of 928	5012	Mcfkpjng.exe	97
PID 5012 wrote to memory of 928	5012	Mcfkpjng.exe	97
PID 928 wrote to memory of 4176	928	Mdghhb32.exe	98
PID 928 wrote to memory of 4176	928	Mdghhb32.exe	98
PID 928 wrote to memory of 4176	928	Mdghhb32.exe	98
PID 4176 wrote to memory of 1936	4176	Nlnpio32.exe	99
PID 4176 wrote to memory of 1936	4176	Nlnpio32.exe	99
PID 4176 wrote to memory of 1936	4176	Nlnpio32.exe	99
PID 1936 wrote to memory of 4548	1936	Nchhfild.exe	100
PID 1936 wrote to memory of 4548	1936	Nchhfild.exe	100
PID 1936 wrote to memory of 4548	1936	Nchhfild.exe	100
PID 4548 wrote to memory of 1992	4548	Nheqnpjk.exe	101
PID 4548 wrote to memory of 1992	4548	Nheqnpjk.exe	101
PID 4548 wrote to memory of 1992	4548	Nheqnpjk.exe	101
PID 1992 wrote to memory of 2288	1992	Nkcmjlio.exe	103
PID 1992 wrote to memory of 2288	1992	Nkcmjlio.exe	103
PID 1992 wrote to memory of 2288	1992	Nkcmjlio.exe	103
PID 2288 wrote to memory of 4128	2288	Ndlacapp.exe	105
PID 2288 wrote to memory of 4128	2288	Ndlacapp.exe	105
PID 2288 wrote to memory of 4128	2288	Ndlacapp.exe	105
PID 4128 wrote to memory of 880	4128	Napameoi.exe	106
PID 4128 wrote to memory of 880	4128	Napameoi.exe	106
PID 4128 wrote to memory of 880	4128	Napameoi.exe	106
PID 880 wrote to memory of 5116	880	Nlefjnno.exe	107
PID 880 wrote to memory of 5116	880	Nlefjnno.exe	107
PID 880 wrote to memory of 5116	880	Nlefjnno.exe	107
PID 5116 wrote to memory of 740	5116	Nconfh32.exe	108
PID 5116 wrote to memory of 740	5116	Nconfh32.exe	108
PID 5116 wrote to memory of 740	5116	Nconfh32.exe	108
PID 740 wrote to memory of 4736	740	Nbbnbemf.exe	109
PID 740 wrote to memory of 4736	740	Nbbnbemf.exe	109
PID 740 wrote to memory of 4736	740	Nbbnbemf.exe	109
PID 4736 wrote to memory of 2748	4736	Nlgbon32.exe	110
PID 4736 wrote to memory of 2748	4736	Nlgbon32.exe	110
PID 4736 wrote to memory of 2748	4736	Nlgbon32.exe	110
PID 2748 wrote to memory of 4716	2748	Nofoki32.exe	111
PID 2748 wrote to memory of 4716	2748	Nofoki32.exe	111
PID 2748 wrote to memory of 4716	2748	Nofoki32.exe	111
PID 4716 wrote to memory of 4340	4716	Ohncdobq.exe	112
PID 4716 wrote to memory of 4340	4716	Ohncdobq.exe	112
PID 4716 wrote to memory of 4340	4716	Ohncdobq.exe	112
PID 4340 wrote to memory of 3252	4340	Oohkai32.exe	113
PID 4340 wrote to memory of 3252	4340	Oohkai32.exe	113
PID 4340 wrote to memory of 3252	4340	Oohkai32.exe	113
PID 3252 wrote to memory of 4292	3252	Obfhmd32.exe	114

C:\Users\Admin\AppData\Local\Temp\7c8191349d87993b10d397e4163b7d20N.exe
"C:\Users\Admin\AppData\Local\Temp\7c8191349d87993b10d397e4163b7d20N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\Lhdggb32.exe
  C:\Windows\system32\Lhdggb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Windows\SysWOW64\Lamlphoo.exe
    C:\Windows\system32\Lamlphoo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\Ldkhlcnb.exe
      C:\Windows\system32\Ldkhlcnb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\SysWOW64\Mkepineo.exe
        
        C:\Windows\system32\Mkepineo.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4332
      - C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Nlefjnno.exe
        
        C:\Windows\system32\Nlefjnno.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Nbbnbemf.exe
        
        C:\Windows\system32\Nbbnbemf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:600
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        43⤵
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:468
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5416
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        61⤵
        Executes dropped EXE
        
        PID:5728
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        69⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4388
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:6032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4408,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=1284 /prefetch:8
1⤵
PID:5888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fpjepamq.dll

Filesize
7KB

MD5
a30b5e1dcd58d45bb15c7ef526f9860d

SHA1
b3c1649caa010c0a88f44a22de817c581a73ed73

SHA256
4757ddc55de8f0682a8e57ad8f56cefcf13027541e65f18958f6162b7e2bb1ba

SHA512
e4f2fed1f06d462ced50af181941f1695aebee8e5743a09536a34a0cb6ebab0ecb8350c18530e98230b3ac02641291d6768b279ab9ddd8c8e76fc1db94d11601

Download Submit
C:\Windows\SysWOW64\Lamlphoo.exe

Filesize
128KB

MD5
a3dba6924ea52eaa1f69d2856a3b87e4

SHA1
9c6b1f846c98fa730bdfaf88fa7fe8e8deeded4a

SHA256
68021ea622239a4c400320b05afb8521d081a8d7508fd15b064e1e899c9f913c

SHA512
bddf4dc9d15a19edd0e492a8e60cccfd44f85c9fca320580c04f9abcc1611e1326f96b9e733615c34aa796c1c7a37a55b47770eed1c7358cb5c412a45f9fa665

Download Submit
C:\Windows\SysWOW64\Ldkhlcnb.exe

Filesize
128KB

MD5
b7c7eb1eebe8ef1ed4025ee9ed578ba9

SHA1
ee496ae972a6d2d4c9f1567603f97fc13759ad23

SHA256
0c8b4358f8e19ded5f3fdb990fb10ce795d0ad6c20ba472d94c3e3637cc2a44a

SHA512
10526de2d803d51e3ec92ceda8a866abfad3a5e34223d9e9ee8da6b4d4a3252e815167a56325e20a99f9e03f15e03471a96f6ee6f3409757c2497c1c8e1ceb9b

Download Submit
C:\Windows\SysWOW64\Lhdggb32.exe

Filesize
128KB

MD5
51d5e15fa6fcedc99be97289ec9d3f58

SHA1
532fa94910ab8c682e1682eb2a2deb4b2da0a142

SHA256
24dc49d990879957a367f3966081ab4d6ae0ac451895e9e4637c199e30e09ee7

SHA512
a7dac2fe9ceaf4a64dd6e1e52606b9dc7cc8bfaa0a8437e8b17a8ee390ece92a4eac2e288325fb1e2b3e083beb9e0351a87b3bd1af35518fe12fd9209b3e3be3

Download Submit
C:\Windows\SysWOW64\Maoifh32.exe

Filesize
128KB

MD5
1a98a2be4b377d3b70951f35ef703380

SHA1
461403106324fac5dcef2f1ea7c434e20f12be99

SHA256
116e4c3254df76d782f10ea210ee9f6ca119e42e602577f741acf39d3e06a9e5

SHA512
6d9a12a942f8d81cab5209d5b371ab40991ffa70f824e0c6aabfb38b5fdcea327699509583e3e288665f9e7262c3d7c94b9af57059c08277e237a53d22c29ec0

Download Submit
C:\Windows\SysWOW64\Mcfkpjng.exe

Filesize
128KB

MD5
12dedb0c9c1f2cea87cd38ab08a7e82c

SHA1
390ea6023d1e413406b6eea16a0ab6916cbfafe7

SHA256
03a9d251eaa288c1ce2867eca0f7b928be9ee3ef0222fc7e29312332dc171762

SHA512
06ae0fa8bf86b703f970c56b5dff354e30edcb6d91b0fae80ea9c7b30261b41cb4e288a69f96e2f9eac7ee61b45733627f60eecd20b6ac886c085f0c30db568b

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
128KB

MD5
abca6aa56dded059aebda613c88ef731

SHA1
842d5fcc3f87dc405d2501275b326d2f0f9efca5

SHA256
eb0e6592b54c9d2aae697d33d6ee0e10f0e31eb3534b365bab1eecd63bca5beb

SHA512
0388396ea87dde704701068b438d1511cb4f53bbd09d1088fe2f14fc17faf20f787a61f31c429b068ef3740e623bf4b6eeaa1ca57077f875b7ad3a6e0e19d9c7

Download Submit
C:\Windows\SysWOW64\Mkepineo.exe

Filesize
128KB

MD5
398b97f6d8af72c3568bb2ccf4669c04

SHA1
fb1bb2b843c52fe44061076f69409ec6ec16aac4

SHA256
26beacc5e2a0d0e4440eccf2f3e18a80ab80cc1afa868a6fa65922629c01f56a

SHA512
dbe87af801042ec5deabd53112b4d037110a70a9117e5dcf34fc54a2ae54f51380ce313615df0148e691907e8b48d53d17b2221f6d41b125d84024fe80b63d9f

Download Submit
C:\Windows\SysWOW64\Napameoi.exe

Filesize
128KB

MD5
627ef9229ad3c90328cb686c877a45f1

SHA1
6d67e0fd5eb1606c09752b310ef7a80c4bd45473

SHA256
8b853cd858e58b8c29c0cb7818d1856cac22a07d4567c059e9fe658fc428824e

SHA512
27b8fa0f7d21e3530186c95ee6a0c551eb68f43cb9abd85da61af5618d6770041cb1b68c7e299b1845bf8400693d9d1387d06334d7b5a7cdfa257d9ed062dc84

Download Submit
C:\Windows\SysWOW64\Nbbnbemf.exe

Filesize
128KB

MD5
fc5889c75099a6c5eb76f4832bee817d

SHA1
6d3955b84b4837f1f025e038a055dedd4ec0712b

SHA256
f97168ab1ce3506a393dd48a3a9ff8a6ddbf95871122b486c50589784780fb11

SHA512
1700ff5ed6a701900b13bba525d00513c5023886553a416dc83e147b200808b1d0b5fa15c762e0488af29976f54ffbd00daa6021366cb1565ebfd49730570486

Download Submit
C:\Windows\SysWOW64\Nchhfild.exe

Filesize
128KB

MD5
2c5e63a9972f5785120cf9f6fcf1f4ac

SHA1
2ade19e84e272103f670516a1634741f27c7f9cd

SHA256
013c47637edd248dc1119b10c8a4deef12f91802c1b604ae4c94b0cc577c6da6

SHA512
fb03fee5236885cc614e0d8edaf7c15257f00c897c06724a5aec17ac9da3c7d8f92d906993978986eda7f653a73668278b3617bf4439a585b9c531502a4c21e1

Download Submit
C:\Windows\SysWOW64\Nconfh32.exe

Filesize
128KB

MD5
ea94468b59931664e761e73c962bba27

SHA1
0253bf56a22392478b4ee6665c5ac8ea03a5b8e3

SHA256
052e88b24e54997bb05eb7af7c4f532a82ea0d15cf27cfdbb1c00177385c5440

SHA512
01b028951a5e417da099c2e0d516750bc471ace051e02bebb44a81c159de3aeab229f740b93ab50e278d027fd926f9ddc6114c226eca950faa3f6a94ae3ac9fd

Download Submit
C:\Windows\SysWOW64\Ndlacapp.exe

Filesize
128KB

MD5
405f24e0cc6de91a1aec3a1180483dd1

SHA1
24555234bbad96331178f1aa53fbd1bd8ba2c6fe

SHA256
7768e68c10dac2ba830fcf5748f084b5b60ce55a8ef353d0a6535f1ab57f0c5a

SHA512
1ad41602c9c2442e34c6a1dbebf30c11adf170d391557c1442805ba3d0afd21b7d34d458990d826a608b39a508e32ee9fd7087e14f44e8d1685a908d78f81fbd

Download Submit
C:\Windows\SysWOW64\Nheqnpjk.exe

Filesize
128KB

MD5
f0128ba9e17f6ad282227b6758633cad

SHA1
d46198b2450edafc25ee51e5fa907adf81131500

SHA256
1b99433293845509b6bc421351cd07c71792ae8dc009cf29e36f99d7c1085a0e

SHA512
3567acf7e26b0e4426b7e5c46b069a40950c6b5e958f55487fbd9e1de863f5ba9f82e84b0b16b92d6c7520e09db0e2506f611e6a34ddf98197f13d5ddab14cb2

Download Submit
C:\Windows\SysWOW64\Nkcmjlio.exe

Filesize
128KB

MD5
be98e65c1bf885e865f10ea9587713d0

SHA1
3b096a83efda09f6df94dce296c042071c682116

SHA256
1adc768be0f8911f55ad90432cc7c143295ffa969d20065c534e9d20c1ebba49

SHA512
5eb467e62d2ab22afc2eba7507e520166977e9f7a7c922139a9ca2361487fc2c4e81face5e483a23bdb2962b285f42f1bdf42cd3f2ed0479e61891ae67f09927

Download Submit
C:\Windows\SysWOW64\Nlefjnno.exe

Filesize
128KB

MD5
b21514285a41ad3b8ce8524cc0a1c918

SHA1
f79ec5a8ceb02e08a5c12b817baf3382629bddbd

SHA256
fab14c415bceb0b6139e0bbd959391483109e4eb2550fefe874ad956f8509274

SHA512
2e082b8a73d1b959a030e525d6e99ca4b7d119e1755686b59e4e7af781c99680cf93b1aede4b75b145a344795034eccf11a2d8e2b5c5d3906db8cfd28603a65a

Download Submit
C:\Windows\SysWOW64\Nlgbon32.exe

Filesize
128KB

MD5
961fd02eb98cf7ed31b3a1f426585492

SHA1
922bbe2a1af6e576ee54460857aab3af4ca28b77

SHA256
a95bc367d3fa00ba08371ef87a1105e14bfba47e3c34199f55b2bf04ba7f957b

SHA512
a2206f35e4ec773135dbd10017473452fcf2bae25a6f97c51aacb8fa451fa5371ef80ec0e1170f54501805845168f171cac0eebd648247a1ae5af237312c2c0e

Download Submit
C:\Windows\SysWOW64\Nlnpio32.exe

Filesize
128KB

MD5
d47c4c356da243e6d7500f3cbda2ef29

SHA1
5c6114ca22271315b0ab08d8ca9ba194276e5a56

SHA256
0af2d8737b24ce040f64e4e95cf6b9e2b3ddc6f9cbbb795426a5e218b251dc90

SHA512
f8bcf02cb0ed731c8a3d67ccdc3fdfaafca29f987fcffca56bdc9072d530a06d801b3c7631b40ff993a5ad7bf5f32c1b48af46c24a2f199cb06d02b00a26b593

Download Submit
C:\Windows\SysWOW64\Nofoki32.exe

Filesize
128KB

MD5
019c8301f9b335d64c3082bee135d66c

SHA1
5a5a38f47c1ae0a44c9c78e97d6ff6416422907e

SHA256
620b5b043012154d66c44ae179d19491c3f7a430c6f26a740ef403ca3a7176b3

SHA512
2003a85744b88b8a2f791da7a52fd878dc7b1d2746c2998e41a3d729d844d66f297018850ba57ca5410ef05e518092f976aee79a466116e682b0f2fbc8bfde2d

Download Submit
C:\Windows\SysWOW64\Obfhmd32.exe

Filesize
128KB

MD5
e97a57f680ae7418c8e94b71092ba661

SHA1
5492046e7b5054e76c74498d6cf1eb1174d0c29f

SHA256
42cddb498e85c5f2469fe9898e1486a0ec4bf29c2a8db3d870793a257ed6a2a8

SHA512
243b5bbfdcac3812e19284e948ef7bc1bbfdfc0652d51e222a7991271b98a4f6df620135e93a6a7a31d296a2fa7fde3e4ce96c5870699710b89d94e4c3a06c14

Download Submit
C:\Windows\SysWOW64\Obidcdfo.exe

Filesize
128KB

MD5
9298e3faa1a2de3ce4b4683b47459f3c

SHA1
75a0164fcacb327cc155cbc42113e80818d92b76

SHA256
99a9e300eb45f27cf0cbc66d3fc484dfae348d089e1b513dc8e47ca9b7af1f00

SHA512
77fa16fe734ff3ca5ce4de81002c760ca2e9b57cd6a37ff426f9b9fc863f852168cb518d7ad67050bf273ed9ceb4c309e438a7fa74e6921a6860fd4c5d255f88

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
128KB

MD5
7a84c00a078be179faf9905768714c90

SHA1
d604243eb3ee5351a3247977dce6244880f80cda

SHA256
fc9849b7e6df99b8dcac907bbfb39b25f234543340eaf7a01f2a40177e04b860

SHA512
a4854e4563925fd941cf79a789691f6c30ee59814cb8179f5d9be2aed5d2afa9c48e955120a782049aadade9254971b5f4e662166dd6b13902fce38126db404f

Download Submit
C:\Windows\SysWOW64\Ochamg32.exe

Filesize
128KB

MD5
b421a7f6ddf2d265717d13a0e49fc1a5

SHA1
689cb2dff7e20f8a109613b2b0befb6c24b21a42

SHA256
03c3bc71e09c53c85d7fa31741fda86c62b3e33b8c69e213305fd49dc5d1a32e

SHA512
f168e82b235ae3da34fe5d6f73b1dab750c70c200df7aab26ba302f4614a043fc293c3938de7de8913d88e61d83f00002f1d44058478066645ac2f2458b3972f

Download Submit
C:\Windows\SysWOW64\Odedipge.exe

Filesize
128KB

MD5
126d29e6be3b6710629b825f62ba76c0

SHA1
7aad46e0a22cf4fb9d420adcfb8312880be54799

SHA256
06c1eb1de2363f116286b264fe075301df857f897f8d295862e00c19fb8527bb

SHA512
edb9b8dda8f23c8da82fb5d602e04aedccae98ec36e5ae7de199d2e5d6438bc77529f904fce3671840598fbd3e12033b5a54f051daf157d25b33edf193b7b1ec

Download Submit
C:\Windows\SysWOW64\Odgqopeb.exe

Filesize
128KB

MD5
58d313232c2843f2f2f44a9266e1a185

SHA1
086dd9109704ffb2d7aed1af51ce3c407a489513

SHA256
4d6389d0ce812fff34ee7a1ba4567944e2f9315cb6758b86278903acbfdec928

SHA512
d77ea772a454e6d8f99ca70f33a6f9c8b2ba58cdd60a71d10ccfb72f5d91b781761b9d3e5385a91a21f4718d709c72b8340137e81a96d9d6b52c8b6d45067b8b

Download Submit
C:\Windows\SysWOW64\Ofdqcc32.exe

Filesize
128KB

MD5
01f9ae28bda46eab9e94a3724f0eac9c

SHA1
5efaaff569258f8a16bf890df26506ddb248928c

SHA256
0410e7b12bfa187c181483c5593b19e5fdf49e258d3078451b6cb307344a6eed

SHA512
6b1b7bb7d8ac404c421a6e1dcdf65d49bddf21523607a8f24df05fb5fc003298d437b990f7b0da8653839e2055b5c5c0ad6a59f64fbbdac1da4ced320372a01c

Download Submit
C:\Windows\SysWOW64\Ohncdobq.exe

Filesize
128KB

MD5
44c89273c6601d59b6d16720a1e691c9

SHA1
3364ee75eb8615e37dde7628a329064cb8ea143b

SHA256
1657dda6514edb6a96564783c14b9ef620f02e90e38ffe364c08cef6c34bc839

SHA512
69a36f910e84663fefbd7140b2b3f484a93e2dd0b5ffa2def35c39454ea641b6bc7422797ce304e541af79914b05dd000a738331873a492a51a5183d55e0d825

Download Submit
C:\Windows\SysWOW64\Ohqpjo32.exe

Filesize
128KB

MD5
b8356c9a533a71c112680c516913391e

SHA1
3e49f1eb326c6ee056beeb77bc1364d159805811

SHA256
cd89df77384fb640464f409c535111a7a0be93c74a35b739aaa85fa08836b307

SHA512
116e38f4dba07a3bf3a6f058a9a7b198beb4e5b76ba6d8a3f52c74330ace8f468c2799ab7458b5a9dde2a12d32951e8ada8de4cff512baeb795788c521e36c4b

Download Submit
C:\Windows\SysWOW64\Okailj32.exe

Filesize
128KB

MD5
11343ace0b0a38aae829256fc5bb137a

SHA1
6b9a7b759a34b05a6c5d4d031fa735a5154d533c

SHA256
cc5245288cddc01f89ebd02da637c16c25e00cac7f5e8428cc68f9fbdedb92dd

SHA512
aeba64a5c8043261c574f77339629f24f00ce999201b011e02a963a7fafe7db0695a03b51d5619d5527e3a2e191b368174bd9656c37cfbc33c807f1ebd16d7b9

Download Submit
C:\Windows\SysWOW64\Okolfj32.exe

Filesize
128KB

MD5
f0e0c5737f287361df9d52e6a56516bf

SHA1
95fa05b9a7b0f2e19e928605a6bc932cc4ddfc60

SHA256
c76818d9915aa52a4409156425e8d7a53455223d8f1e7dce95fda3adb979cc22

SHA512
7210f8dad691bcea0b8d6e973dea53da8eb99455fdb7100f6f64fa0d2b21ba5b289368d2815d3cbd1384bc1734a8654e8383c95e1d67d993ae7db6d942640b91

Download Submit
C:\Windows\SysWOW64\Oloipmfd.exe

Filesize
128KB

MD5
a74a2552b882dc39505114433ad1b7ea

SHA1
54e1c57548e52cffa93ae635db194a0ff1e3870f

SHA256
60be6cec0abd9b2456a69903fc3973c8e02840e7235de10784454ddd8a1038b1

SHA512
6b07a8feca43a10bcc100af3729d226fc3ff9e9044bad53a5b55c50e0902ffa72c80312fdd3840fde46c97419085a70a094d5c4ef226baffeae51bab039e3552

Download Submit
C:\Windows\SysWOW64\Oohkai32.exe

Filesize
128KB

MD5
8a8c83b06c8670e1f72a87eaa068a56d

SHA1
4ac9af0ae2de95602729a054ecc5e1d3edf0d1ac

SHA256
a9db3ca9e8ec8cbc1e44e5d22c4e1e098e73010c52e5968ce41a050ed3abe842

SHA512
3dfe93ac5fe8ce848a32e71d055cb590c1c39e7434f79243df4c80418a5991ed1149874d77c2d83e40afadb7e70dfdf00b5ab32f0cf9a80df72c95c857d49b2a

Download Submit
C:\Windows\SysWOW64\Ookhfigk.exe

Filesize
128KB

MD5
dc3108d31581eacf584a80e2d21ca86f

SHA1
2ca9c03c9024f6521d7c9969936833c89f89401d

SHA256
9dee3634199a018a24ba6dc2620918fd2de1cbeb9d0c4e558ff7118beba1b135

SHA512
821d7f165f204068255d9e7ce26b1d423938d4159e3f60345afe40292cadad58c00d341714c641559b6482d0c0e542aedde1ecbca7b3165ef8a77c3ac69ed93b

Download Submit
memory/336-211-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/468-350-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/600-332-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/636-302-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/740-134-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/740-227-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/784-88-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/784-7-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/880-116-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/880-210-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/928-143-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/928-55-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1056-548-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1216-542-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1332-524-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1716-219-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1936-71-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1936-161-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1976-314-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1992-183-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1992-89-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2288-192-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2288-98-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2324-106-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2324-24-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2400-278-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2736-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2736-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2748-157-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2864-284-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3024-19-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3024-97-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3220-262-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3252-184-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3300-237-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3500-506-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3580-39-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3580-129-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3644-270-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3804-202-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3832-320-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3880-296-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4128-108-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4128-201-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4156-308-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4176-156-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4176-64-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4292-193-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4332-115-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4332-32-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4340-175-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4356-290-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4376-344-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4416-512-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4496-530-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4508-254-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4548-80-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4548-174-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4596-228-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4636-518-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4708-338-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4716-253-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4716-162-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4736-148-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4736-236-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4864-245-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4988-326-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5012-48-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5012-133-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5116-130-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5136-356-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5156-536-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5168-362-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5216-368-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5248-374-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5296-380-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5328-386-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5376-392-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5416-398-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5456-404-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5496-410-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5536-416-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5576-422-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5608-428-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5656-434-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5692-440-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5728-446-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5772-452-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5808-458-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5856-464-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5896-470-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5944-476-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5976-482-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/6016-488-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/6072-494-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/6120-500-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads