14e20d305a3bbd8186bafb3b6acfa079875fff44759a0d93c0555ed625566b3e

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4245accd1aab55bf8d60fdb367e4500N.exe
Size

80KB
MD5

f4245accd1aab55bf8d60fdb367e4500
SHA1

2fbcf78780ca40634ca09f60217e1a01b3d057df
SHA256

14e20d305a3bbd8186bafb3b6acfa079875fff44759a0d93c0555ed625566b3e
SHA512

0933d4cfca97822ca44befff14fee216b30bbc7b68c2cd755f87c890490fba367ca4f5013dd78e596865ef30bd54a99afa1c569ba796787a1b21c82d81f96bbe
SSDEEP

1536:KR+w3sWaKBR/HN9XQhuRVITEYdVq1ymDadtT5YMkhohBE8VGh:dw3DkgRH1ymDadt1UAEQGh

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Napameoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oheienli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piolkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f4245accd1aab55bf8d60fdb367e4500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhbciqln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhfknjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ooangh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Madbagif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oooaah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkoemhao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mccokj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkjjdmaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkjjdmaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhnjna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oomelheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbddobla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkcmjlio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkcmjlio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndpjnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooangh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pomncfge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcoepkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkhfek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkocol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfdgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcppq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Namegfql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlcidopb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ollljmhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oooaah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ollljmhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piceflpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbnbemf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obfhmd32.exe

Executes dropped EXE 62 IoCs

pid	Process
4564	Mkgmoncl.exe
1004	Mcoepkdo.exe
3188	Maaekg32.exe
3316	Mkjjdmaj.exe
3832	Madbagif.exe
4692	Mdbnmbhj.exe
2320	Mhnjna32.exe
4504	Mccokj32.exe
4464	Mddkbbfg.exe
4776	Mkocol32.exe
4908	Mahklf32.exe
2316	Nhbciqln.exe
1088	Nchhfild.exe
1728	Ndidna32.exe
3984	Nkcmjlio.exe
1464	Namegfql.exe
3432	Nlcidopb.exe
4092	Napameoi.exe
4672	Ndnnianm.exe
2008	Nkhfek32.exe
4560	Nbbnbemf.exe
1104	Ndpjnq32.exe
4808	Nkjckkcg.exe
1772	Ncaklhdi.exe
3120	Okmpqjad.exe
4380	Obfhmd32.exe
1660	Ollljmhg.exe
4804	Ocfdgg32.exe
2020	Odgqopeb.exe
1596	Oomelheh.exe
1396	Ofgmib32.exe
3744	Oheienli.exe
5000	Okceaikl.exe
428	Oooaah32.exe
5076	Ohhfknjf.exe
4740	Ooangh32.exe
1952	Obpkcc32.exe
2540	Pdngpo32.exe
4680	Pmeoqlpl.exe
3208	Pcpgmf32.exe
432	Pilpfm32.exe
3688	Pkklbh32.exe
4284	Pbddobla.exe
2216	Piolkm32.exe
3712	Pmjhlklg.exe
4088	Pcdqhecd.exe
2808	Peempn32.exe
4072	Pkoemhao.exe
3044	Pbimjb32.exe
4024	Piceflpi.exe
4900	Pomncfge.exe
4100	Pbljoafi.exe
4644	Qifbll32.exe
2224	Qkdohg32.exe
3704	Qbngeadf.exe
3372	Qelcamcj.exe
676	Qihoak32.exe
3716	Qpbgnecp.exe
2888	Aflpkpjm.exe
3080	Akihcfid.exe
5128	Abcppq32.exe
5168	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mahklf32.exe	Mkocol32.exe
File created	C:\Windows\SysWOW64\Nkhfek32.exe	Ndnnianm.exe
File created	C:\Windows\SysWOW64\Qihoak32.exe	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Aflpkpjm.exe	Qpbgnecp.exe
File created	C:\Windows\SysWOW64\Maaekg32.exe	Mcoepkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mdbnmbhj.exe	Madbagif.exe
File opened for modification	C:\Windows\SysWOW64\Oheienli.exe	Ofgmib32.exe
File created	C:\Windows\SysWOW64\Kialcj32.dll	Pbimjb32.exe
File created	C:\Windows\SysWOW64\Khhmbdka.dll	Piceflpi.exe
File created	C:\Windows\SysWOW64\Mkjjdmaj.exe	Maaekg32.exe
File opened for modification	C:\Windows\SysWOW64\Mddkbbfg.exe	Mccokj32.exe
File opened for modification	C:\Windows\SysWOW64\Obfhmd32.exe	Okmpqjad.exe
File created	C:\Windows\SysWOW64\Odpldj32.dll	Ocfdgg32.exe
File created	C:\Windows\SysWOW64\Pmjhlklg.exe	Piolkm32.exe
File created	C:\Windows\SysWOW64\Edkamckh.dll	Pcdqhecd.exe
File created	C:\Windows\SysWOW64\Dapijd32.dll	Peempn32.exe
File opened for modification	C:\Windows\SysWOW64\Pbimjb32.exe	Pkoemhao.exe
File opened for modification	C:\Windows\SysWOW64\Mkjjdmaj.exe	Maaekg32.exe
File created	C:\Windows\SysWOW64\Cbgabh32.dll	Mddkbbfg.exe
File created	C:\Windows\SysWOW64\Fklociap.dll	Nlcidopb.exe
File created	C:\Windows\SysWOW64\Pbddobla.exe	Pkklbh32.exe
File created	C:\Windows\SysWOW64\Hpacoj32.dll	Pkklbh32.exe
File opened for modification	C:\Windows\SysWOW64\Qifbll32.exe	Pbljoafi.exe
File created	C:\Windows\SysWOW64\Qkdohg32.exe	Qifbll32.exe
File opened for modification	C:\Windows\SysWOW64\Qbngeadf.exe	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Cdkdne32.dll	Qbngeadf.exe
File opened for modification	C:\Windows\SysWOW64\Piolkm32.exe	Pbddobla.exe
File created	C:\Windows\SysWOW64\Kjmole32.dll	Pbddobla.exe
File created	C:\Windows\SysWOW64\Pomncfge.exe	Piceflpi.exe
File created	C:\Windows\SysWOW64\Ndpjnq32.exe	Nbbnbemf.exe
File created	C:\Windows\SysWOW64\Aiaeig32.dll	Obfhmd32.exe
File opened for modification	C:\Windows\SysWOW64\Okceaikl.exe	Oheienli.exe
File created	C:\Windows\SysWOW64\Obpkcc32.exe	Ooangh32.exe
File opened for modification	C:\Windows\SysWOW64\Pkklbh32.exe	Pilpfm32.exe
File opened for modification	C:\Windows\SysWOW64\Okmpqjad.exe	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Obfhmd32.exe	Okmpqjad.exe
File created	C:\Windows\SysWOW64\Oenlmopg.dll	Ohhfknjf.exe
File created	C:\Windows\SysWOW64\Caekaaoh.dll	Madbagif.exe
File created	C:\Windows\SysWOW64\Cdpqko32.dll	Mhnjna32.exe
File created	C:\Windows\SysWOW64\Ndidna32.exe	Nchhfild.exe
File created	C:\Windows\SysWOW64\Ndnnianm.exe	Napameoi.exe
File created	C:\Windows\SysWOW64\Okmpqjad.exe	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Ncloojfj.dll	Pcpgmf32.exe
File opened for modification	C:\Windows\SysWOW64\Qelcamcj.exe	Qbngeadf.exe
File created	C:\Windows\SysWOW64\Ffmnibme.dll	Nhbciqln.exe
File created	C:\Windows\SysWOW64\Flekgd32.dll	Nbbnbemf.exe
File created	C:\Windows\SysWOW64\Ooangh32.exe	Ohhfknjf.exe
File created	C:\Windows\SysWOW64\Pmejnpqp.dll	Qelcamcj.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmoncl.exe	f4245accd1aab55bf8d60fdb367e4500N.exe
File created	C:\Windows\SysWOW64\Eiebmbnn.dll	Nkhfek32.exe
File created	C:\Windows\SysWOW64\Ollljmhg.exe	Obfhmd32.exe
File created	C:\Windows\SysWOW64\Ebcgjl32.dll	Akihcfid.exe
File created	C:\Windows\SysWOW64\Nbbnbemf.exe	Nkhfek32.exe
File opened for modification	C:\Windows\SysWOW64\Ndpjnq32.exe	Nbbnbemf.exe
File created	C:\Windows\SysWOW64\Oomelheh.exe	Odgqopeb.exe
File opened for modification	C:\Windows\SysWOW64\Peempn32.exe	Pcdqhecd.exe
File opened for modification	C:\Windows\SysWOW64\Oooaah32.exe	Okceaikl.exe
File opened for modification	C:\Windows\SysWOW64\Pbddobla.exe	Pkklbh32.exe
File opened for modification	C:\Windows\SysWOW64\Mkocol32.exe	Mddkbbfg.exe
File created	C:\Windows\SysWOW64\Nhbciqln.exe	Mahklf32.exe
File opened for modification	C:\Windows\SysWOW64\Ndnnianm.exe	Napameoi.exe
File created	C:\Windows\SysWOW64\Ncaklhdi.exe	Nkjckkcg.exe
File created	C:\Windows\SysWOW64\Lchfjc32.dll	Okmpqjad.exe
File created	C:\Windows\SysWOW64\Abcppq32.exe	Akihcfid.exe

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdbnmbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmeoqlpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piceflpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkgmoncl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akihcfid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpjnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgqopeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooangh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdngpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbimjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcoepkdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Napameoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkhfek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okceaikl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oooaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obpkcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkcmjlio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbnbemf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjckkcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncaklhdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peempn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mddkbbfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkocol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mahklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjhlklg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbgnecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madbagif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkdohg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mccokj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoemhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qelcamcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnnianm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkklbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qihoak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ollljmhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndidna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obfhmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqhecd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkjjdmaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomelheh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qifbll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhnjna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcidopb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheienli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhfknjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maaekg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbljoafi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Namegfql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okmpqjad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nchhfild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pilpfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4245accd1aab55bf8d60fdb367e4500N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomncfge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhbciqln.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlbphhk.dll"	Mkgmoncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpqko32.dll"	Mhnjna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkocol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqoppk32.dll"	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogcho32.dll"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkamckh.dll"	Pcdqhecd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknmpb32.dll"	Pomncfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmnibme.dll"	Nhbciqln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odemep32.dll"	Napameoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknanh32.dll"	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchfjc32.dll"	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpcjnil.dll"	Okceaikl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkhfek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkacdofa.dll"	Odgqopeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkjom32.dll"	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaekg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpqifh32.dll"	Ollljmhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapijd32.dll"	Peempn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqkbjk32.dll"	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdejagg.dll"	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqdbl32.dll"	Nkcmjlio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbbnbemf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Peempn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbooabbb.dll"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmejnpqp.dll"	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnkilod.dll"	Ooangh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcgjl32.dll"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijbed32.dll"	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncgmcgd.dll"	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ooangh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debaqh32.dll"	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnegipj.dll"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbngeadf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Madbagif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odgqopeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdkdne32.dll"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f4245accd1aab55bf8d60fdb367e4500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcoepkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkjjdmaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kialcj32.dll"	Pbimjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohhfknjf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 4564	1536	f4245accd1aab55bf8d60fdb367e4500N.exe	91
PID 1536 wrote to memory of 4564	1536	f4245accd1aab55bf8d60fdb367e4500N.exe	91
PID 1536 wrote to memory of 4564	1536	f4245accd1aab55bf8d60fdb367e4500N.exe	91
PID 4564 wrote to memory of 1004	4564	Mkgmoncl.exe	92
PID 4564 wrote to memory of 1004	4564	Mkgmoncl.exe	92
PID 4564 wrote to memory of 1004	4564	Mkgmoncl.exe	92
PID 1004 wrote to memory of 3188	1004	Mcoepkdo.exe	93
PID 1004 wrote to memory of 3188	1004	Mcoepkdo.exe	93
PID 1004 wrote to memory of 3188	1004	Mcoepkdo.exe	93
PID 3188 wrote to memory of 3316	3188	Maaekg32.exe	94
PID 3188 wrote to memory of 3316	3188	Maaekg32.exe	94
PID 3188 wrote to memory of 3316	3188	Maaekg32.exe	94
PID 3316 wrote to memory of 3832	3316	Mkjjdmaj.exe	95
PID 3316 wrote to memory of 3832	3316	Mkjjdmaj.exe	95
PID 3316 wrote to memory of 3832	3316	Mkjjdmaj.exe	95
PID 3832 wrote to memory of 4692	3832	Madbagif.exe	96
PID 3832 wrote to memory of 4692	3832	Madbagif.exe	96
PID 3832 wrote to memory of 4692	3832	Madbagif.exe	96
PID 4692 wrote to memory of 2320	4692	Mdbnmbhj.exe	97
PID 4692 wrote to memory of 2320	4692	Mdbnmbhj.exe	97
PID 4692 wrote to memory of 2320	4692	Mdbnmbhj.exe	97
PID 2320 wrote to memory of 4504	2320	Mhnjna32.exe	99
PID 2320 wrote to memory of 4504	2320	Mhnjna32.exe	99
PID 2320 wrote to memory of 4504	2320	Mhnjna32.exe	99
PID 4504 wrote to memory of 4464	4504	Mccokj32.exe	100
PID 4504 wrote to memory of 4464	4504	Mccokj32.exe	100
PID 4504 wrote to memory of 4464	4504	Mccokj32.exe	100
PID 4464 wrote to memory of 4776	4464	Mddkbbfg.exe	101
PID 4464 wrote to memory of 4776	4464	Mddkbbfg.exe	101
PID 4464 wrote to memory of 4776	4464	Mddkbbfg.exe	101
PID 4776 wrote to memory of 4908	4776	Mkocol32.exe	102
PID 4776 wrote to memory of 4908	4776	Mkocol32.exe	102
PID 4776 wrote to memory of 4908	4776	Mkocol32.exe	102
PID 4908 wrote to memory of 2316	4908	Mahklf32.exe	103
PID 4908 wrote to memory of 2316	4908	Mahklf32.exe	103
PID 4908 wrote to memory of 2316	4908	Mahklf32.exe	103
PID 2316 wrote to memory of 1088	2316	Nhbciqln.exe	104
PID 2316 wrote to memory of 1088	2316	Nhbciqln.exe	104
PID 2316 wrote to memory of 1088	2316	Nhbciqln.exe	104
PID 1088 wrote to memory of 1728	1088	Nchhfild.exe	105
PID 1088 wrote to memory of 1728	1088	Nchhfild.exe	105
PID 1088 wrote to memory of 1728	1088	Nchhfild.exe	105
PID 1728 wrote to memory of 3984	1728	Ndidna32.exe	107
PID 1728 wrote to memory of 3984	1728	Ndidna32.exe	107
PID 1728 wrote to memory of 3984	1728	Ndidna32.exe	107
PID 3984 wrote to memory of 1464	3984	Nkcmjlio.exe	108
PID 3984 wrote to memory of 1464	3984	Nkcmjlio.exe	108
PID 3984 wrote to memory of 1464	3984	Nkcmjlio.exe	108
PID 1464 wrote to memory of 3432	1464	Namegfql.exe	109
PID 1464 wrote to memory of 3432	1464	Namegfql.exe	109
PID 1464 wrote to memory of 3432	1464	Namegfql.exe	109
PID 3432 wrote to memory of 4092	3432	Nlcidopb.exe	111
PID 3432 wrote to memory of 4092	3432	Nlcidopb.exe	111
PID 3432 wrote to memory of 4092	3432	Nlcidopb.exe	111
PID 4092 wrote to memory of 4672	4092	Napameoi.exe	112
PID 4092 wrote to memory of 4672	4092	Napameoi.exe	112
PID 4092 wrote to memory of 4672	4092	Napameoi.exe	112
PID 4672 wrote to memory of 2008	4672	Ndnnianm.exe	113
PID 4672 wrote to memory of 2008	4672	Ndnnianm.exe	113
PID 4672 wrote to memory of 2008	4672	Ndnnianm.exe	113
PID 2008 wrote to memory of 4560	2008	Nkhfek32.exe	114
PID 2008 wrote to memory of 4560	2008	Nkhfek32.exe	114
PID 2008 wrote to memory of 4560	2008	Nkhfek32.exe	114
PID 4560 wrote to memory of 1104	4560	Nbbnbemf.exe	115

C:\Users\Admin\AppData\Local\Temp\f4245accd1aab55bf8d60fdb367e4500N.exe
"C:\Users\Admin\AppData\Local\Temp\f4245accd1aab55bf8d60fdb367e4500N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\Mkgmoncl.exe
  C:\Windows\system32\Mkgmoncl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\Mcoepkdo.exe
    C:\Windows\system32\Mcoepkdo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\SysWOW64\Maaekg32.exe
      C:\Windows\system32\Maaekg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3188
    - - C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3316
      - C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Nbbnbemf.exe
        
        C:\Windows\system32\Nbbnbemf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4076,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8
1⤵
PID:5548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaekg32.exe

Filesize
80KB

MD5
217aca57278a38cb3a4f32d291db6378

SHA1
86da81ed27b4c5b754b77646786ec962defe4867

SHA256
b687a8a541ad6096fa3e51837db05dc312a2dd32e70d29283e75b2a2b716d8c9

SHA512
9caf7314724d0fdd36bec1c63de6368b458880dacbcc6477420db171c2ca71c770c5c1ccab61ecacf6a7606820d5b5b1a9586f5fd5c6e181369371f080ceb427

Download Submit
C:\Windows\SysWOW64\Madbagif.exe

Filesize
80KB

MD5
930fa8b066e4123e988e18e3f033885f

SHA1
e967d5008dde2aea91d574b58cd375c3e3e04d91

SHA256
9552d76485edcc60238375c4fe04c19f0b55d651495af4efb181bdb932a36892

SHA512
c2462f89b06abeb45b0d5f7d3c6005b8979360444b660e964b914faa74c04ab6ea012f2f78299f15c3871e634d36d7dc1001c3422e8345105331a36102191c55

Download Submit
C:\Windows\SysWOW64\Mahklf32.exe

Filesize
80KB

MD5
4dfc17e131cf6c28371d2271f1576f5b

SHA1
7905fc86e2094102551d7d6ed60ee5309eec261a

SHA256
c405012e30cf2e69ec64744e7db5fa80caff8ca74641635920e35cadfd42e24b

SHA512
d50914cc5c36c3cfd6b83a757d42b37d2509323d951ca3d8e1bc302f2d22bf9dc29a01fa4cc4165d4e634038063c21e01e95b946a12776a44fce396842fecf62

Download Submit
C:\Windows\SysWOW64\Mccokj32.exe

Filesize
80KB

MD5
772240b5f8b672175a82ac4670145054

SHA1
0ec249d4abc15d8454616d088761a17a58537278

SHA256
58d16b5bfb8e92aa78fa74c41577c441ffd3ada2488046c97e03878b94e94493

SHA512
70db9e0dff73a7bcbfebd4ceff4e3b135b341d0f58342ccb6729d3ba8e1a528e62a64d1d450c27e20b386623902abac63e9ab16f0520b7a8879e2e4b3ece053d

Download Submit
C:\Windows\SysWOW64\Mcoepkdo.exe

Filesize
80KB

MD5
061148cb272243a06ac0421eb438737d

SHA1
4553bfa31e4190d88dd9bf70798506092c06803b

SHA256
13376cb2d10454bd76c01e7dad324dc938d852390798f691bb9f0ef406f50a2e

SHA512
40cd95d1a06833cabf79a1fab198efd7d679603782958bf4b5c513cf6ad34784bbc95af661d81ed2a6e411e8854305dcaa3a1acc030b8509e7eb8e925f865708

Download Submit
C:\Windows\SysWOW64\Mdbnmbhj.exe

Filesize
80KB

MD5
615bd84db70e74ff8d13c6298d8ea312

SHA1
1c3a29166519968f0a5eb8a5f0b6acad7c253b08

SHA256
1d9d73910aac761e8ef09ba3a9493c51abe86b26b1ed3a82f7d64ab7a2b928eb

SHA512
cacc100aa214cf668a9b4de4d0456045a9b22b330a62a9edbfe5cdcbed3a4839f2a7fd9b173dec73866c74965801b227cbe4f8c60849e03a187f4861b633ccf5

Download Submit
C:\Windows\SysWOW64\Mddkbbfg.exe

Filesize
80KB

MD5
50e522e25066a79920093ad67140b264

SHA1
dbafab4e86c685206f5ec051a809689ce87c85ed

SHA256
e109cd318ac748d407a20b2c06d5de55bf0ce57e6dcab1470f63f3c2644a3b6e

SHA512
ddddf7a5d9250e0a06669c233b610ef70618022226ea17fdcabcdb07955968ffbffda0fbb43a173319b53e34a3a4e8fbba07cf9c50e479aa23b56143889b0202

Download Submit
C:\Windows\SysWOW64\Mhnjna32.exe

Filesize
80KB

MD5
d5b29727b2d0212d4fc7d280372d7303

SHA1
ed13368bda0a00d3bc148b4a233617c1037442ba

SHA256
1c0a99346d439a3812e6b70672332e39905cf8043c51bf13b57043b76d55518e

SHA512
e18c42d54ea62951d4568027fd20955808d14547d2e9e03068218f6ee99aa0e43e156da0f650e2d71bf7ca43bd9ef89a03e4b6fb8d0b23e334129840bc08ade6

Download Submit
C:\Windows\SysWOW64\Mkgmoncl.exe

Filesize
80KB

MD5
0982f83d035d6cf26ca9f79f79b09136

SHA1
0f40c83434937e63bc7271bdcd5e6b063f72ae19

SHA256
10e39268d98555e97dd839b17398885938d0bdf94d349b146ca6510a207205e8

SHA512
37b42acc67503cc8488bf2ed1f1eaa0f7ddf8116bb426cf3cdf4d06f8d6de056bfe6b4701c5102c97b338302bac298b50407ac4c3d7a70440a31a3e651bd9cd2

Download Submit
C:\Windows\SysWOW64\Mkjjdmaj.exe

Filesize
80KB

MD5
b9a6e967df67d8c63666bbf67d35e7ec

SHA1
47d30af648984cc6d489061a1a2313623c200131

SHA256
a5ee6fc4f8d532cf9aaac87107589dbef59eea4d17bb3f10beaf7a66ee0c7e07

SHA512
c67fd87d38b54012fa3edcfb0dcd861dd11aeee68661715c03e6b67838791fa5ae9b820ddc6b0b9807c2e81b63accebc8a6304ff542fb2d9718ce9dd145c2a44

Download Submit
C:\Windows\SysWOW64\Mkocol32.exe

Filesize
80KB

MD5
a0bb86110e5aa0c0c7af9fc18bdd3f20

SHA1
a4aba6bcdcdf2771e34580acdaeefa15b620eadf

SHA256
a167088f56212ba412ec17bfc18481a074408d4a4cec8133ee5ff20ae432d9ae

SHA512
2252904ce2e508412aa716b89c04c98bcc1557c48dcd688e6ee36ce268997ff23b075a262e608bc523900b7b582342e358d95601ba3265374f9c74a501ec9920

Download Submit
C:\Windows\SysWOW64\Namegfql.exe

Filesize
80KB

MD5
4c0767f0ed85361d05d7c0ac94cdfdc4

SHA1
8d802b3346cedcc40a323619e89e6c2ddb12053c

SHA256
2b9a16f79665271660a5ea118ceb6343cdf0277f8646776c789aa9cb4af68510

SHA512
cac52926970898390964d7e907c3d85ca73de1d4c5dced140a1a0c0afe9110926aa58d3c730a5eb6a9c39d37822c9c66b0e1e9481cf5449f5cbd836d172764ca

Download Submit
C:\Windows\SysWOW64\Napameoi.exe

Filesize
80KB

MD5
8a741e444528d8c09765db734e7cbaef

SHA1
ea71c4c8e91f19b016bcf8016e512f59857af729

SHA256
05f4c468c2efb3d192a5a179e80c23fdc9e44c620cc0d39d0023087e52575863

SHA512
3154d82021b2078621688744c42612bae8c5a1b4ec602900b60671063da4eaa7243bf646f60a6645a539b45d2cb414f2acc89dfec6bc4f56941feabf5b54dab7

Download Submit
C:\Windows\SysWOW64\Nbbnbemf.exe

Filesize
80KB

MD5
8b524ef01e05bb85d1ca5446cb039082

SHA1
a607a68e296034b35546e2eab73489cae662a462

SHA256
519bf21e01151c76f099839d94536e74742e4561fc06db40b826e59074a2cdd3

SHA512
cf08118fce133f1bcd8df22c38695df38bdd2f184e7436b05c0719ff9f49d5258428f2ddc1ee47ba9964aef495f8078642d892bdfc151a5a110eba930815e7ee

Download Submit
C:\Windows\SysWOW64\Ncaklhdi.exe

Filesize
80KB

MD5
dde3166087c6c9ca72b19fa0f0ca2e2c

SHA1
fed5639af028f00efed46144d3cd2dab714571fb

SHA256
2117c67efadf7c6d3eecc4fbd5c022f9a2483d500b04a67004ba2a181d0b3a3e

SHA512
d4c42ac6c0d08eb9c72490b1c2794c2e405a172d104fe98fd4bfe3bee4b827cb69413202cdea55651eef47a6ef51effad1b0b77168664dc1b145755f111803df

Download Submit
C:\Windows\SysWOW64\Nchhfild.exe

Filesize
80KB

MD5
e5d95477cb146ab493b12358f1c79bd1

SHA1
439f60adf6f7c0f3756f1e9e783e0df7b058d6cb

SHA256
1c8955a27d992b6c1edb28a4aa1949e09667dbb18e8dee101f462fb5a33d9461

SHA512
f5e091c40a3dd8524da294bd704b3776eeb7c3a5ea522dfab07870d86ffcd13d3dbdcd6f4b21dda076cb2a4a2b8091f73344107688bd261ddafea0c830d00092

Download Submit
C:\Windows\SysWOW64\Ndidna32.exe

Filesize
80KB

MD5
9597d666f81a18e9007db709cd8d7731

SHA1
41d9d88839e45f71137023f67cd8bf3c09e81a45

SHA256
b6c528f2f565ab438d78cafa14350ff3ce2729bf999ef71afbd0d7b118efb609

SHA512
09f7f8bb64b42df2d96c1f29a72353953ad9bf40e334ecd3fec72f93d78f9274256c00c75b7bfc012913aa0439159b2e4a0916f20d74b27faff753cbad09cb15

Download Submit
C:\Windows\SysWOW64\Ndnnianm.exe

Filesize
80KB

MD5
961156f796da940dc63f11943bd33bed

SHA1
223033490f3bd6c29cd5a7deb0ba577547153cba

SHA256
85c2f87bfbbf6e45d477aced296624dd764daf26b797a3a9af974d3d10283b05

SHA512
435f0f622c667d69bd3474a8b870962937d18d0b4b1fd49748613b9433d514d1d4c8cf41f60858d862dc08b531bdcce446f766fbfc85f312ca9ecfc0252b36ad

Download Submit
C:\Windows\SysWOW64\Ndpjnq32.exe

Filesize
80KB

MD5
fb445bff9ec008325a83c9108e9c5084

SHA1
664900844b253a4389a1471e9d1ce61b76ee4c97

SHA256
3cf6ef8a963de6a4566fe9a099e6e13ff49b73a60c147009d1959b737d0451e5

SHA512
176f2d0e0fb3947d3cf4b7e06092e5c2460721a199936b8af42c8de1a2e650182107b12b7bb0ce6422751b9f186ae19a906daae854d0d5866c51077ee7c3bb49

Download Submit
C:\Windows\SysWOW64\Nhbciqln.exe

Filesize
80KB

MD5
438e9800b061f02f6fbb3cc4b1e8f4f2

SHA1
b8ad8a95fa2d3afd1801044ec525492bffc2af2c

SHA256
ab6b66eebe2616194b18a8107c5295c5a8ba4fd181a98acd8dac82416eec470c

SHA512
e1cba1b848e6217bb8447c5eea558b4041288455a390259d4f6443f9e2022aefd2a99ff75fbec77431de2c09ed3db09886a18f5db73f7b1e566e2e865debb05b

Download Submit
C:\Windows\SysWOW64\Nkcmjlio.exe

Filesize
80KB

MD5
95637e809e044a4a62c10fed85797f24

SHA1
bfb565bd089a8a28b1689fe8af7e72ff3b92a2fa

SHA256
2cc5ec4696f9f363850e97c0ade63b4cca68a7318a77605321a9188f8109c763

SHA512
fce99e16f5889612609cf7d9835323314c391320513aa33f1502ad9873607678afbe34087ba51aa46083a79b7095b3d0a3716a9e5a999c9fdfbbe7a3ff3b898f

Download Submit
C:\Windows\SysWOW64\Nkhfek32.exe

Filesize
80KB

MD5
20c172b69a1666190baea47ae1ce29a7

SHA1
9f2b5a33f4725922df64c6dcff574ff8a1582f59

SHA256
a266f552c33aa18caa6f78c740405c39a42fce9cfa3bb86243518d1287ff1fde

SHA512
34fb232a15ced3faa8e86f607dce3cf2e19c396d7a5b6f6e3b58617e21a11a16362fe501af2c24bf9da68d82c8b3a1c637e30d9ce84f99dfb4d2e4975eda4f9d

Download Submit
C:\Windows\SysWOW64\Nkjckkcg.exe

Filesize
80KB

MD5
eed62431ba1fedbcadbe5870cfe36718

SHA1
a2f1c9caf57bb9e99ee6b52e0d8c0c19663f1d0a

SHA256
d8d7c9045a2fd691e4064c58984f388fde01eeaa7376425b3e7e43f13d8a3f5d

SHA512
d2b5bfec04309914084b6e3e0163945b673abe4c7ff6de84d1406d2da9c40b8e05f2afd9283202c1c313157d0df10dacb75fe7ee1d6998355a486e4e86014d89

Download Submit
C:\Windows\SysWOW64\Nlcidopb.exe

Filesize
80KB

MD5
50e2dbe4398bde17b086a0ddc6fe9291

SHA1
f060656f2814ffdbd38f788b5fb8eb63d84ff8c8

SHA256
848af3aa7274f94fef6aa1325b243b9eb49c3db7572aca92f487a75408731f88

SHA512
3e0dd4e58cf98336e8f90f308d23d6146707bfd9bd5315774c8a2346a1aa9caa867768c93f10b4565e0d9e89f5aa9cecfc2b5f945d0140c86600fef5b6e3b421

Download Submit
C:\Windows\SysWOW64\Obfhmd32.exe

Filesize
80KB

MD5
bed0ab2825399249bd8f7126a039d69b

SHA1
c14e4a077bca2d5ebfc4dff71bf0aaaa84fcd415

SHA256
4aba40e3dd768cb4b6ebb324640aefc22a2b2310123126db37a0d04bf775dbcd

SHA512
84967b49ea3ca9abc56919f8210cc040f671963d47e72f1f673afdf6832bf09ef428735ac49ba7a3bd6fc92e83a0544cc4ec38356b5cef84782936fa7be3a24d

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
80KB

MD5
30f235972fc9c8a779af204048ab08dd

SHA1
0183322c19296663ea9859c593a7dae43c581694

SHA256
d31660d54a009839ccd8518542ce1becae23d10a9003aed9b3f88c95b7bb95e3

SHA512
1e92f1428916dc5e0257a1842606653f096beac3f03dca48eb9e0227d074dcea3ab25f68e840124a5339d0418be1ea1b9dfa0eef126de04dbc12183d6b8ee117

Download Submit
C:\Windows\SysWOW64\Odgqopeb.exe

Filesize
80KB

MD5
82ae897cc8a9cab04615f8af6cc5356a

SHA1
df3ff5367df3c30d63eac306f7df33ef2ac16415

SHA256
185573b4652eb758338cc7a3f8baf2b5bd7425c12ed4288a050d47b701e62360

SHA512
4594dcb8fc1f43dae41285472b5fed9e3a0704c39d63bf15386703d0ff77d27a0a18598d7c4b9dc43de2e5ade4a682563dd881eb91343e800435a69e06fe3188

Download Submit
C:\Windows\SysWOW64\Ofgmib32.exe

Filesize
80KB

MD5
4320ae467198e2fbc45e8e01240f4d35

SHA1
5b11185bd209fe927f2253a4ddaa33a98ac5bdf1

SHA256
d60445e45ccda617d55db7447f6340e94d14e7195b469a9b338ec89578fe8315

SHA512
a837ec06b591217e6d9ef8a87fbbc8af8246d144f4bc62d6331450a17e9a41655cab53bc7371b757e650379c63c29cff9ba1c25d19af50deb5b675d364f94241

Download Submit
C:\Windows\SysWOW64\Oheienli.exe

Filesize
80KB

MD5
2ef84805d0603e7e5916bb21fc2ab212

SHA1
07f588d6d3e2df456bfb6993f7f11d5624835b29

SHA256
390e0a66a8b332bd9725a0a57ce285360d961455bfbfe48eeedd96787df4f22a

SHA512
c7d99647ded9067fb11d7cf6a00a9f549594a05136a8edbefd61444ccbce2441d3b2d6b210a293e4a8991d9d82da47884bcfea10bbd60cb19e3776901b0d9712

Download Submit
C:\Windows\SysWOW64\Ohhfknjf.exe

Filesize
80KB

MD5
722d2f145bb39c680ab25be256428299

SHA1
6b51ba2b2fe87d2acfd1107a8480f00a59d57f62

SHA256
3093178dd9250a050aa4a4eaea9d02a8bb9fa13d7f6fac3114cb70e55c2e7ea2

SHA512
b2f96ef9f920cfb48340ef9588cd17a27c873f5d911bedd30122ed85893c01b89c6c089ae67c6d3822f34051d634bc84eebba3df94e53d9841dd3cdd9be3a5bc

Download Submit
C:\Windows\SysWOW64\Okmpqjad.exe

Filesize
80KB

MD5
e03ecabbf8d96a144eef201f5cddb2bd

SHA1
1ff6da308a5d178546586664c0f6d2ffb2cb9d35

SHA256
fcd9d762310269c58013cbfc07c5eee11d9dc6415947d27df571116f338b0329

SHA512
768fec56caa888d841e166a386c8c88fee376f57565852111aa7a00f6115e52930604cbd3c05788846361c9082be25727b2b5da23a76aed381f9fbd7abd747c7

Download Submit
C:\Windows\SysWOW64\Ollljmhg.exe

Filesize
80KB

MD5
d494db87f50033bc97a1de30a8bd9f77

SHA1
c9cbe33e30faea196bfdcef05ca94c6ae6a167ab

SHA256
3ec57277fc1defe9aabc3c8470f8ff3d528fc9a6610ce99102ce783eaf3efd23

SHA512
995b8f9e433a79d18b1d23a44d6aaac898c7aaf33b571a845145b45e07fa2cb5cbee597359a233f2fb2170420673be793adce836acee9a01de8fc75d51591b5b

Download Submit
C:\Windows\SysWOW64\Oomelheh.exe

Filesize
80KB

MD5
8a5e139849aab9c11885d680d0f01352

SHA1
4130674a9dd7a8f4b04360804918621f8af48b71

SHA256
a5eb0b6e95d732190692c8ab0a8a97089c0e956db4d99461b6e3a7b43c69a9aa

SHA512
17520af321cd9e16efd7b082bf9e4e7880be6c456565c0e1c8664168b5a98693ef85341653224dd47c78711e761fe8ae2eb7192c0e05a79050cd367c95888c04

Download Submit
C:\Windows\SysWOW64\Pcpgmf32.exe

Filesize
80KB

MD5
f1e0d1e5cbfa96bc26705c06f80cc71b

SHA1
e89e738999a864e2e402bc659677754ad1b3433e

SHA256
c5e0408fab5849eed601bbd0a5f0801db53261092ca928cda977c9e4bcc69811

SHA512
2f41e2b7fa80f9020efea9d9448c116c599c18132b58cc686f25abdd84040bc00af127560fa4cf4a46d5ea977be09002ebe07a1de9178d452fba031e96caa883

Download Submit
C:\Windows\SysWOW64\Qbngeadf.exe

Filesize
80KB

MD5
abb6822a12314fd2ab7fec5b91f7b0c3

SHA1
cb05ae43f585724be0f8ab4231b29a007b31bbdc

SHA256
fdec5892655a05131b49bdb254421445f3bb6ba289e9ddb3f1dbffea8396d835

SHA512
2c2fdd8496976bbf8141f7ae72fc62040ca759623d6811565e4def8fdf72de3645df95524a16eb9b986f34cd6be97beccd69a160c29f4f4c8f8aebd34a8d70cf

Download Submit
memory/428-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/428-469-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/432-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/676-406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1004-439-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1004-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1088-450-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1088-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1104-459-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1104-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1396-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1396-468-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1464-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1464-453-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1596-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1596-239-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1660-215-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1660-464-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1728-451-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1728-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1772-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1772-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1952-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2008-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2008-458-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2020-466-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2020-231-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2316-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2316-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2320-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2320-444-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2808-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2888-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3044-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3080-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3120-462-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3120-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3188-440-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3188-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3208-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3316-441-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3316-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3372-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3432-135-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3432-454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3688-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3704-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3712-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3716-412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3744-261-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3832-442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3832-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3984-452-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3984-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4024-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4072-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4088-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4092-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4092-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4100-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4284-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4380-463-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4380-207-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4464-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4464-446-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4504-445-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4504-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4560-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4560-457-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4564-438-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4564-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4672-456-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4672-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4680-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4692-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4692-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4740-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4776-447-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4776-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4804-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4804-465-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4808-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4808-460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4900-370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4908-448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4908-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5000-266-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5076-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5128-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5168-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads