122deb75e515a8024bc3d74b9c2517b515dea3dbcd4c9a171199d15e59878f7d

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0874dbfc69dfbbb039b645cb6d47fe80N.exe
Size

112KB
MD5

0874dbfc69dfbbb039b645cb6d47fe80
SHA1

896b698de391e1ac621e1f60c551be7834497a50
SHA256

122deb75e515a8024bc3d74b9c2517b515dea3dbcd4c9a171199d15e59878f7d
SHA512

541a23bbeb07c26c9e93681c14e79a1c8d28d0307817dcf79eb128dc4fc1af7ecd13245b70e1d930cd022b3af53bd3f5b24b2cfa6d981b7aeda0cbe6021469f5
SSDEEP

3072:G2jLOfkwVGTbBciqHHyMQH2qC7ZQOlzSLUK6MwGsGnDc9o:G2fOMqHHyMQWfdQOhwJ6MwGsw

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfppoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mojopk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkoemhao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okolfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfknmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okceaikl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abpcja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pofhbgmn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfjcep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0874dbfc69dfbbb039b645cb6d47fe80N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocmjhfjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acppddig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aealll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdgahag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofdqcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mklfjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkholi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhfknjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjckkcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocfdgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pijcpmhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0874dbfc69dfbbb039b645cb6d47fe80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbljoafi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obkahddl.exe

Executes dropped EXE 64 IoCs

pid	Process
2680	Mkgmoncl.exe
5064	Mdpagc32.exe
3008	Mcabej32.exe
4444	Mdbnmbhj.exe
1776	Mklfjm32.exe
4316	Mebkge32.exe
1168	Mhpgca32.exe
3352	Mojopk32.exe
1448	Mdghhb32.exe
3928	Nchhfild.exe
4804	Nheqnpjk.exe
3284	Namegfql.exe
1460	Nkeipk32.exe
3244	Ncmaai32.exe
1608	Nfknmd32.exe
3192	Nocbfjmc.exe
1648	Nkjckkcg.exe
3796	Ncaklhdi.exe
4088	Nfpghccm.exe
4036	Ohncdobq.exe
3844	Okmpqjad.exe
4180	Ocdgahag.exe
2252	Obfhmd32.exe
3884	Odedipge.exe
4304	Okolfj32.exe
4128	Ookhfigk.exe
392	Ocfdgg32.exe
2316	Ofdqcc32.exe
4780	Odgqopeb.exe
232	Ohcmpn32.exe
2580	Okailj32.exe
3608	Oomelheh.exe
4156	Obkahddl.exe
4892	Ofgmib32.exe
756	Oheienli.exe
2952	Omaeem32.exe
2616	Okceaikl.exe
4320	Ocknbglo.exe
4276	Obnnnc32.exe
2888	Ofijnbkb.exe
4572	Ohhfknjf.exe
2256	Omcbkl32.exe
376	Ooangh32.exe
2960	Ocmjhfjl.exe
4744	Obpkcc32.exe
3044	Oflfdbip.exe
5156	Pijcpmhc.exe
5196	Pmeoqlpl.exe
5228	Pkholi32.exe
5268	Podkmgop.exe
5308	Pbbgicnd.exe
5348	Pdqcenmg.exe
5396	Pilpfm32.exe
5436	Pmhkflnj.exe
5476	Pofhbgmn.exe
5516	Pcbdcf32.exe
5556	Pbddobla.exe
5588	Pfppoa32.exe
5628	Piolkm32.exe
5672	Pmjhlklg.exe
5716	Pkmhgh32.exe
5748	Pcdqhecd.exe
5796	Pbgqdb32.exe
5836	Pfbmdabh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Daphho32.dll	Nkeipk32.exe
File opened for modification	C:\Windows\SysWOW64\Pmeoqlpl.exe	Pijcpmhc.exe
File created	C:\Windows\SysWOW64\Qihoak32.exe	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Ofaqkhem.dll	Akihcfid.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Aealll32.exe
File created	C:\Windows\SysWOW64\Eoggpbpn.dll	0874dbfc69dfbbb039b645cb6d47fe80N.exe
File created	C:\Windows\SysWOW64\Nkjckkcg.exe	Nocbfjmc.exe
File created	C:\Windows\SysWOW64\Pfbmdabh.exe	Pbgqdb32.exe
File created	C:\Windows\SysWOW64\Afnlpohj.exe	Abcppq32.exe
File created	C:\Windows\SysWOW64\Mhpgca32.exe	Mebkge32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdgahag.exe	Okmpqjad.exe
File created	C:\Windows\SysWOW64\Jdaaqg32.dll	Oheienli.exe
File created	C:\Windows\SysWOW64\Piceflpi.exe	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Pbljoafi.exe	Pcijce32.exe
File opened for modification	C:\Windows\SysWOW64\Qbngeadf.exe	Qckfid32.exe
File created	C:\Windows\SysWOW64\Qfjcep32.exe	Qbngeadf.exe
File created	C:\Windows\SysWOW64\Fmfbakio.dll	Nchhfild.exe
File opened for modification	C:\Windows\SysWOW64\Nfpghccm.exe	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Jcokoo32.dll	Ocfdgg32.exe
File opened for modification	C:\Windows\SysWOW64\Omaeem32.exe	Oheienli.exe
File opened for modification	C:\Windows\SysWOW64\Okceaikl.exe	Omaeem32.exe
File created	C:\Windows\SysWOW64\Nfpghccm.exe	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Nonhbi32.dll	Pmoagk32.exe
File opened for modification	C:\Windows\SysWOW64\Pkmhgh32.exe	Pmjhlklg.exe
File created	C:\Windows\SysWOW64\Pehjfm32.exe	Pbimjb32.exe
File created	C:\Windows\SysWOW64\Pmoagk32.exe	Piceflpi.exe
File opened for modification	C:\Windows\SysWOW64\Oomelheh.exe	Okailj32.exe
File opened for modification	C:\Windows\SysWOW64\Omcbkl32.exe	Ohhfknjf.exe
File created	C:\Windows\SysWOW64\Qmanljfo.exe	Qifbll32.exe
File created	C:\Windows\SysWOW64\Qbngeadf.exe	Qckfid32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmoncl.exe	0874dbfc69dfbbb039b645cb6d47fe80N.exe
File created	C:\Windows\SysWOW64\Namegfql.exe	Nheqnpjk.exe
File created	C:\Windows\SysWOW64\Podkmgop.exe	Pkholi32.exe
File created	C:\Windows\SysWOW64\Ifoglp32.dll	Abpcja32.exe
File opened for modification	C:\Windows\SysWOW64\Oflfdbip.exe	Obpkcc32.exe
File created	C:\Windows\SysWOW64\Peempn32.exe	Pfbmdabh.exe
File created	C:\Windows\SysWOW64\Qcncodki.exe	Qpbgnecp.exe
File created	C:\Windows\SysWOW64\Abcppq32.exe	Acppddig.exe
File opened for modification	C:\Windows\SysWOW64\Nchhfild.exe	Mdghhb32.exe
File opened for modification	C:\Windows\SysWOW64\Pilpfm32.exe	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Pbddobla.exe	Pcbdcf32.exe
File opened for modification	C:\Windows\SysWOW64\Aealll32.exe	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Obfhmd32.exe	Ocdgahag.exe
File created	C:\Windows\SysWOW64\Eobdnbdn.dll	Ooangh32.exe
File created	C:\Windows\SysWOW64\Qelcamcj.exe	Qfjcep32.exe
File created	C:\Windows\SysWOW64\Fpqifh32.dll	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Nbfndd32.dll	Ohcmpn32.exe
File created	C:\Windows\SysWOW64\Pmeoqlpl.exe	Pijcpmhc.exe
File opened for modification	C:\Windows\SysWOW64\Pcbdcf32.exe	Pofhbgmn.exe
File created	C:\Windows\SysWOW64\Cojaijla.dll	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Obkahddl.exe	Oomelheh.exe
File created	C:\Windows\SysWOW64\Hblaceei.dll	Piceflpi.exe
File created	C:\Windows\SysWOW64\Qfgfpp32.exe	Pbljoafi.exe
File created	C:\Windows\SysWOW64\Kialcj32.dll	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Bhejfl32.dll	Mhpgca32.exe
File opened for modification	C:\Windows\SysWOW64\Nheqnpjk.exe	Nchhfild.exe
File created	C:\Windows\SysWOW64\Ookhfigk.exe	Okolfj32.exe
File opened for modification	C:\Windows\SysWOW64\Obkahddl.exe	Oomelheh.exe
File created	C:\Windows\SysWOW64\Honmnc32.dll	Pmeoqlpl.exe
File created	C:\Windows\SysWOW64\Pcijce32.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Mcabej32.exe	Mdpagc32.exe
File created	C:\Windows\SysWOW64\Aojbfccl.dll	Mklfjm32.exe
File created	C:\Windows\SysWOW64\Ncmaai32.exe	Nkeipk32.exe
File opened for modification	C:\Windows\SysWOW64\Obfhmd32.exe	Ocdgahag.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okceaikl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooangh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkeipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofhbgmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pilpfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peempn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofijnbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piceflpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfgfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfpghccm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okolfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbbgicnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncaklhdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocknbglo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdpagc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0874dbfc69dfbbb039b645cb6d47fe80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcmpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjcep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgqopeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijcpmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkholi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhkflnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nchhfild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nheqnpjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omaeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qihoak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkgmoncl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmaai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podkmgop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmjhfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mklfjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbgnecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbmdabh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjckkcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomelheh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obkahddl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acppddig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkdohg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nocbfjmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbljoafi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qelcamcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhfknjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijlgkjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbgqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqhecd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcbkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbimjb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqgpnjq.dll"	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iipkfmal.dll"	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pofhbgmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkeipk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdqcenmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnggcqk.dll"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0874dbfc69dfbbb039b645cb6d47fe80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nchhfild.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obpkcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okolfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daliqjnc.dll"	Pbimjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhinoa32.dll"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aealll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfpghccm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapijd32.dll"	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbdmc32.dll"	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmejnpqp.dll"	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpqifh32.dll"	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdaaqg32.dll"	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjokai32.dll"	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0874dbfc69dfbbb039b645cb6d47fe80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfjcep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobdnbdn.dll"	Ooangh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkholi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbngeadf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qihoak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknmpb32.dll"	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchfjc32.dll"	Ocdgahag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okceaikl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0874dbfc69dfbbb039b645cb6d47fe80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjckkcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenflo32.dll"	Qifbll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0874dbfc69dfbbb039b645cb6d47fe80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkacdofa.dll"	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qihoak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmoncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckjdhni.dll"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aijlgkjq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2680	1988	0874dbfc69dfbbb039b645cb6d47fe80N.exe	91
PID 1988 wrote to memory of 2680	1988	0874dbfc69dfbbb039b645cb6d47fe80N.exe	91
PID 1988 wrote to memory of 2680	1988	0874dbfc69dfbbb039b645cb6d47fe80N.exe	91
PID 2680 wrote to memory of 5064	2680	Mkgmoncl.exe	92
PID 2680 wrote to memory of 5064	2680	Mkgmoncl.exe	92
PID 2680 wrote to memory of 5064	2680	Mkgmoncl.exe	92
PID 5064 wrote to memory of 3008	5064	Mdpagc32.exe	93
PID 5064 wrote to memory of 3008	5064	Mdpagc32.exe	93
PID 5064 wrote to memory of 3008	5064	Mdpagc32.exe	93
PID 3008 wrote to memory of 4444	3008	Mcabej32.exe	94
PID 3008 wrote to memory of 4444	3008	Mcabej32.exe	94
PID 3008 wrote to memory of 4444	3008	Mcabej32.exe	94
PID 4444 wrote to memory of 1776	4444	Mdbnmbhj.exe	95
PID 4444 wrote to memory of 1776	4444	Mdbnmbhj.exe	95
PID 4444 wrote to memory of 1776	4444	Mdbnmbhj.exe	95
PID 1776 wrote to memory of 4316	1776	Mklfjm32.exe	96
PID 1776 wrote to memory of 4316	1776	Mklfjm32.exe	96
PID 1776 wrote to memory of 4316	1776	Mklfjm32.exe	96
PID 4316 wrote to memory of 1168	4316	Mebkge32.exe	98
PID 4316 wrote to memory of 1168	4316	Mebkge32.exe	98
PID 4316 wrote to memory of 1168	4316	Mebkge32.exe	98
PID 1168 wrote to memory of 3352	1168	Mhpgca32.exe	99
PID 1168 wrote to memory of 3352	1168	Mhpgca32.exe	99
PID 1168 wrote to memory of 3352	1168	Mhpgca32.exe	99
PID 3352 wrote to memory of 1448	3352	Mojopk32.exe	100
PID 3352 wrote to memory of 1448	3352	Mojopk32.exe	100
PID 3352 wrote to memory of 1448	3352	Mojopk32.exe	100
PID 1448 wrote to memory of 3928	1448	Mdghhb32.exe	101
PID 1448 wrote to memory of 3928	1448	Mdghhb32.exe	101
PID 1448 wrote to memory of 3928	1448	Mdghhb32.exe	101
PID 3928 wrote to memory of 4804	3928	Nchhfild.exe	102
PID 3928 wrote to memory of 4804	3928	Nchhfild.exe	102
PID 3928 wrote to memory of 4804	3928	Nchhfild.exe	102
PID 4804 wrote to memory of 3284	4804	Nheqnpjk.exe	103
PID 4804 wrote to memory of 3284	4804	Nheqnpjk.exe	103
PID 4804 wrote to memory of 3284	4804	Nheqnpjk.exe	103
PID 3284 wrote to memory of 1460	3284	Namegfql.exe	104
PID 3284 wrote to memory of 1460	3284	Namegfql.exe	104
PID 3284 wrote to memory of 1460	3284	Namegfql.exe	104
PID 1460 wrote to memory of 3244	1460	Nkeipk32.exe	105
PID 1460 wrote to memory of 3244	1460	Nkeipk32.exe	105
PID 1460 wrote to memory of 3244	1460	Nkeipk32.exe	105
PID 3244 wrote to memory of 1608	3244	Ncmaai32.exe	106
PID 3244 wrote to memory of 1608	3244	Ncmaai32.exe	106
PID 3244 wrote to memory of 1608	3244	Ncmaai32.exe	106
PID 1608 wrote to memory of 3192	1608	Nfknmd32.exe	108
PID 1608 wrote to memory of 3192	1608	Nfknmd32.exe	108
PID 1608 wrote to memory of 3192	1608	Nfknmd32.exe	108
PID 3192 wrote to memory of 1648	3192	Nocbfjmc.exe	109
PID 3192 wrote to memory of 1648	3192	Nocbfjmc.exe	109
PID 3192 wrote to memory of 1648	3192	Nocbfjmc.exe	109
PID 1648 wrote to memory of 3796	1648	Nkjckkcg.exe	110
PID 1648 wrote to memory of 3796	1648	Nkjckkcg.exe	110
PID 1648 wrote to memory of 3796	1648	Nkjckkcg.exe	110
PID 3796 wrote to memory of 4088	3796	Ncaklhdi.exe	111
PID 3796 wrote to memory of 4088	3796	Ncaklhdi.exe	111
PID 3796 wrote to memory of 4088	3796	Ncaklhdi.exe	111
PID 4088 wrote to memory of 4036	4088	Nfpghccm.exe	112
PID 4088 wrote to memory of 4036	4088	Nfpghccm.exe	112
PID 4088 wrote to memory of 4036	4088	Nfpghccm.exe	112
PID 4036 wrote to memory of 3844	4036	Ohncdobq.exe	113
PID 4036 wrote to memory of 3844	4036	Ohncdobq.exe	113
PID 4036 wrote to memory of 3844	4036	Ohncdobq.exe	113
PID 3844 wrote to memory of 4180	3844	Okmpqjad.exe	114

C:\Users\Admin\AppData\Local\Temp\0874dbfc69dfbbb039b645cb6d47fe80N.exe
"C:\Users\Admin\AppData\Local\Temp\0874dbfc69dfbbb039b645cb6d47fe80N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\Mkgmoncl.exe
  C:\Windows\system32\Mkgmoncl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\Mdpagc32.exe
    C:\Windows\system32\Mdpagc32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\SysWOW64\Mcabej32.exe
      C:\Windows\system32\Mcabej32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
      - C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Ocdgahag.exe
        
        C:\Windows\system32\Ocdgahag.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        25⤵
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        47⤵
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5556
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5588
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        62⤵
        Executes dropped EXE
        
        PID:5716
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        69⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
1⤵
PID:5276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mcabej32.exe

Filesize
112KB

MD5
cbf812dbb91cc36e55df11c6d638272f

SHA1
301dded7e3cd5861a79e517cc6aab93055c84d57

SHA256
ae9066604b5ae5384cf46c0d8833550bdd2db329bf66cb733f3114ae9be068a4

SHA512
d1c1a3d161b621400a838062f4eb095fe5c98e8b0a3fd798711e875185ce29f6d4f738481f6fe0b2392d0186f062309c3db42a2b7d59be2d12ecc8b514587d8d

Download Submit
C:\Windows\SysWOW64\Mdbnmbhj.exe

Filesize
112KB

MD5
8e53f597e57647d3beb78df67adb4cea

SHA1
52c0d59fc7cef9ab79a0f683ee71faeaf33b2b6d

SHA256
169afd2cd0a4f8faaa05d67c8cf6a7e64ad85c819b12c7cd87a7ac09f6d1d5cc

SHA512
eb932bb4f66c2848725753493dd941d7a5cde7a0476c7767b50a226e4b747852da5f344133159263a27a9644e325674d3385ee7a0b5c3a7480ab0c183747b4f6

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
112KB

MD5
dabdf23b0c7fa850dcad313a013fdb87

SHA1
4d35985c1863da49d2e7b70390c2971b6039eead

SHA256
52262e40496fc5b56ada206ce9d6c9e11c34ef47d33ce0ab9c38ff35b6207658

SHA512
7ffda2929496670f0124c6dc6ada8220f245438eccb432a67558ba5d24c4ea43ef59b4c043b936ff9af4b86ad84cab1193ec95c48492e9c2b2525a4bb93c2b80

Download Submit
C:\Windows\SysWOW64\Mdpagc32.exe

Filesize
112KB

MD5
9f56934e4baa5f1374ae14139ffe6cad

SHA1
2ba7fcab2ae2e9a4a59601bdcc888f306e7fdd20

SHA256
d7b2ef1b87b494b64583c7db72e1a2c8faca148163a0581022e70833269d864a

SHA512
acc7ce5391b69ae2ca8f7b824f76c4406209a932f41675fc4a0e15814ad35745b8a8cc7cfeeb1e31fe386ed7294a8a2203bc543f38ca725cab22877dfa5878e2

Download Submit
C:\Windows\SysWOW64\Mebkge32.exe

Filesize
112KB

MD5
3c2701d876d7db34fb3bcf3f6433ac84

SHA1
b22ee2360d5e6e12d0b038ff6210c167f62dd232

SHA256
0ba6ad0f9cbe642d513ce835d23e2e3b0101ce7fa9b2b7644a8754d7693e6b9d

SHA512
1ff8690c5117de52a082b1ada97ad422c15830621818cd96a1dd83ae59b3c90bc3d3d9efb48ebeb744bf73a041874dca77c72e856af8744fde6f7c81cf598e13

Download Submit
C:\Windows\SysWOW64\Mhpgca32.exe

Filesize
112KB

MD5
e95b213f98aeb04d2c003936a526bd04

SHA1
5468a9a86e2f2c5b11d6800a28d057b81e78a354

SHA256
f1f71ed17071506a5808585e0cad13098adc8bd8440b9637183270577c9e96ed

SHA512
a4e9af29e28b4b1e371ef2289683ae615e2fb89e820ee7932f63a5102f1e0626f9105c6c53e5e9425af1c65ab62d0ded0003e63e38d390826ad186db35189d3f

Download Submit
C:\Windows\SysWOW64\Mkgmoncl.exe

Filesize
112KB

MD5
abde53a31c60c8c4d3417c0d815171d2

SHA1
a4b68d2ecf2b6928c584cef3c13080d46db889d7

SHA256
349bc59786738a9a70dc86813f095b7e2e1b47dc86525ecb8eabc09fe77daaa4

SHA512
2f8feb76dc0339d1b2eb893268522dd090090d9794f48396ab1ad7ef0461d03d6358274adb43e3e5e7d54a0018060da0f18920ac6e22303598b38cc61127969e

Download Submit
C:\Windows\SysWOW64\Mklfjm32.exe

Filesize
112KB

MD5
02dd31edbb802fc4f812c1322ff4b673

SHA1
d16fb1e2a9400fe1e7a8419e8e55c01d81420637

SHA256
63be2fdd28a915ac8a4783a6eb7379c48b05af3b64ab6a5f2f3efd8eaf2b0e8d

SHA512
7cf3b3a0d3ebac44438d17d6480166872c1be154b5554bb2043c44875179b931ff6c0b230351983ccff0e1021e887c5b736e5b4b39822c03df535ee2d49c6d46

Download Submit
C:\Windows\SysWOW64\Mojopk32.exe

Filesize
112KB

MD5
d7691da2c29c27a3426f2f77dc003806

SHA1
7527d219ac626eeefbd52ea4fa919eb0f9f3de13

SHA256
7a939b500609fbef2083e73365ee86c1f56a29af9748e5ccc162f5eb9012442d

SHA512
6c66672c5dcc613e1c417f88ddc678170d4646dc5371bba939bb2badeca3a18f525c0ecedccc95b7541e0c95065fd9a69c8ef7f3d5ed2cad04f2ca59fdce0fb4

Download Submit
C:\Windows\SysWOW64\Namegfql.exe

Filesize
112KB

MD5
5b7bccf74da61275f480fd49e253c526

SHA1
3be9d8c71fb72d85fd432d6a9ca5b55ff39896b0

SHA256
8e0bd03750d921e36cdd38b09272ae1b0688b482d5d88a2f13c2328ebc2e0e75

SHA512
a4dc5e51b4deda20b40405e67ff9acf1be9a09b8f79facde6b816a604433c8c088d49d5eb1180a82184ec2b58a15a688e362f3e50a6edc1c6d031fd21d54872c

Download Submit
C:\Windows\SysWOW64\Ncaklhdi.exe

Filesize
112KB

MD5
6e7c89053d07c5ccc7fdc66aca7cc6c9

SHA1
ca00b4c54728dfe18e94b733519cca1adba87ba7

SHA256
5f67f63ada5eb03222effe38459628aae6d0d853d230d99b71e06eac324d7348

SHA512
afd4414729d3d3b281681938529fe0ea440a49aae564163578688c18268635d1f1c1051266cea91c49a86f8e76c1dcf210b48e44b1108a228eaa1b9e12802980

Download Submit
C:\Windows\SysWOW64\Nchhfild.exe

Filesize
112KB

MD5
3e32908f60ec2457e8f074d4d8743cc6

SHA1
a24b67e9d6cdcf7d4eae81844bfc3331f17c6e5f

SHA256
13cc6a9a0d678b296aba4d842e8f4009faaa25975166e71646f49f350f1b4ab2

SHA512
1b433fbf0b1c44867b67a25771e2386c8573ae759b6af0246fae076429941439ce484df62cc7da6bc3c8a1c256ff80f2330a9ce63e3bebf0d61e3f9af617f03a

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
112KB

MD5
0e6698e2184e4963b45f3997ae2f6acc

SHA1
8e2f233336e7e7b502d51513b3945c1dd72823b7

SHA256
d236159949e6634c40df9bc49c8db752766fa699e9487a0a79f9aec3af4605cc

SHA512
d09b543926762fd3897c4a541bd3a2c2717961d67236be4037a75fae0cfb2eeb43562b62bc918820f1ace35df7d6f7f7e3ea4ea03df0f5b3a85215ea5ce85a18

Download Submit
C:\Windows\SysWOW64\Nfknmd32.exe

Filesize
112KB

MD5
a7893d43cdaea76ce5a5a4f3af2d5ea1

SHA1
86187cc448589bd43f5d630098d6275d3c14ae37

SHA256
658225cb1055f3f95f3da3129f9d228666b05365761bd0c871a0a9a7e68133be

SHA512
39eb2f64bc9a2366d2c487470fbc23a808923663f1ca93d4139df011f17edb77af3fa82f510c5f45871c45e5cccdc25ace88c7cf3a273c2dfa47827cedc97bb0

Download Submit
C:\Windows\SysWOW64\Nfpghccm.exe

Filesize
112KB

MD5
4db4c4b1b95d32d41acb358b0e562c97

SHA1
723df16a0585ab927f4ced8fa7fd3bd6d957a709

SHA256
48581b5bc673fca08a670c6aa25eb2ad8feaf51753d0851ce6a5d0dcd3a08ad0

SHA512
29955c6fc648fe191109997f67f29024bdc8a9e1b75e0243fac229db2b8c1d943767899242ae7fe9b01b69409e5fcec47931e18f04f84bf0b975eef0aea488a7

Download Submit
C:\Windows\SysWOW64\Nheqnpjk.exe

Filesize
112KB

MD5
276d8a12e863539f8984b8bdfe630b6f

SHA1
06d42179abab7e16ad7a756a0f2ba6d9415f47eb

SHA256
beafc9e149b594f480c0b58de7a2013f35206cb9bd614893f5cab09c72eb6d60

SHA512
b035bdacc844e99e24a82f56e15232e14978b4988657fe7217a20b19cf59d766af27d0d7b92a04e1dd8caaada3bf20b10fc9522864cc74920c245f656dece1a7

Download Submit
C:\Windows\SysWOW64\Nkeipk32.exe

Filesize
112KB

MD5
204c1a2f747b564e52228548db128f48

SHA1
e38c45c86deaa45c4e00b92a08bea6e14e60375d

SHA256
9ec822b29877e143e6e4df8af78858711de0e8d6559c5efaed645909cb82d3d7

SHA512
d6849886b280ed61fe25085829f56f486fecf1a878c376065c9718be4899b29f57f2d16e51f7260953e2e46f4ac109f777bc87d6d8ff3d8eef85f95115a97877

Download Submit
C:\Windows\SysWOW64\Nkjckkcg.exe

Filesize
112KB

MD5
6c7ef540217cc82da4b6082c58e416ac

SHA1
ae5c1e4c76afc181241a0d5b4f3cb98390b423ac

SHA256
45bdd84dcf64c6d19e7cf7c9da9e8346f88826e4719213883a32dea6882e2605

SHA512
4c93dd1a2439d8766e7f2a4bd3e5dd7e572a9babc95ddacb35a76480b68edf128cf9d764afb04958b0fac9b112eb6030a7b9cc0160f671e97a9d5d13d579ff99

Download Submit
C:\Windows\SysWOW64\Nocbfjmc.exe

Filesize
112KB

MD5
6b8672af4722be13325c776549110217

SHA1
2d736ddfe25ac8510853f4ae44d7da1a7e7930f1

SHA256
fe1d1eb2d92f26ea8ded9e077cda8144c6f57dfe378e52b244e4c14cc1985335

SHA512
0d318e3c1d57ac5ce68df455070006bd0caeec8c67579dacd5327db41e827d6b2b537a4aab86cb46fa3f2065d6861eca8eb6681de8b0ba9722b1cc4fdd83ee61

Download Submit
C:\Windows\SysWOW64\Obfhmd32.exe

Filesize
112KB

MD5
2d1066f97edfee49405b3ff943107e14

SHA1
a0fbae163908721c80a199e402abffbd81e0e190

SHA256
9d8a23bf587afa0dc986b917db556dc9afba60206c3ec730ffb3e8f59e180ff6

SHA512
be61252a9fe3c6a7cc99d799734ef28c4b55a5e12a88e18308fb8479f110f644229630ab10bb6a01e84fdaa238514e0f8facabe5e8480aa6e7deab875ef44348

Download Submit
C:\Windows\SysWOW64\Ocdgahag.exe

Filesize
112KB

MD5
0c1bbaffae8781d7faf3c754d7a8d243

SHA1
956d16063266dccbd1227dafb38c2f3149f67f84

SHA256
665031df17b42daebbd03e2628c2c1687832f753abac6899aa2dc3ca02eb5ded

SHA512
9e952c46515bb8d2a861228dfc45f6d8d5be1e9e44d3e11dbeafd98dbd9ebb0d324d691f46dd9b5c2a18002168cabf66d2a1fb5275d26ea536f64f69849efcc5

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
112KB

MD5
5ce0011811e9528ede5037f4c964a16e

SHA1
cb8227a7173733639684cc17c894743788fe55a9

SHA256
4a61a85c57db351284e9e284daf056ef4c27e8fdfdbf706f6108c3fc93197871

SHA512
addcda43539a5a26a13c7a6fdfff2232a2567d73e2580ec1f3068db2e15e7c06621852d6e72b0cbf642edd016404808d0a2b5dc66d696139c2c9d5c2ca7a4311

Download Submit
C:\Windows\SysWOW64\Odedipge.exe

Filesize
112KB

MD5
afcb12d3d72e99407e2fd935b2472e56

SHA1
14560be38a0e7145c1ac21398c3ee7f0ec564f55

SHA256
2ed0ed3157dd23854fd631b68cf9c32036afd3200dff85f40c44ad1b7530871a

SHA512
7e7ef4354bc6c13bf1a355f3f7a4e8bbbcf253c63b6d022bd0c7d079b2c56caf9704f72a4b336a86dc4c803aa8c15177c32f355876b0867500b7a3b2e28156b8

Download Submit
C:\Windows\SysWOW64\Odgqopeb.exe

Filesize
112KB

MD5
0dc33881b23ed3181cf543d3e53919cc

SHA1
84871d041df8fa1da86f012beb129a224e9a9509

SHA256
7f2937d61d7122be9e89e269ca1fe74f08875369fad044c25072f5d0b5c915df

SHA512
5a9c0819f7397b17a86f4904efeed31d4ba40c19fb3f4ebfd30b693f31d2b3a6013aa42821ed77f744a04ca7f7f1ee1dd338f5868b9cdae4017af2f08a2c598b

Download Submit
C:\Windows\SysWOW64\Ofdqcc32.exe

Filesize
112KB

MD5
5de96398746787e89c4ec2c103f959ff

SHA1
dc7ce4aacc6297777442ec965e4bd27609440c3b

SHA256
277fe6778690a0ae1d1d3311c35e198588dffc461b9a10ed0e708235d109a4dc

SHA512
cb1053c4a32037c8f0b58c8ea59bedf86a58da6013908209e0037d4f5ee7035aa9572e1f0a554fe049370429558bcab10b8227cd16e87e94ad6e431d7514cde6

Download Submit
C:\Windows\SysWOW64\Ohcmpn32.exe

Filesize
112KB

MD5
317abb514c8d7a6b20431dc5a0a81a9c

SHA1
dbf86e7a53b1d49668f1481cb3ef5aed94c75afa

SHA256
afaa45ef4bad90d1093e7424b0d2ba2fe9c2a7ca2ec31d823554b47fe293184c

SHA512
397ce8c63415ec2f8d3422dbf56b9565a18a3021e567bc2c8870c5ea52327d7f9e0422616f965a2de875367552b3495a99afc6c5349beddae83780b3c4aaf529

Download Submit
C:\Windows\SysWOW64\Ohncdobq.exe

Filesize
112KB

MD5
ea7d2bf296495cdfc17b327707aac927

SHA1
705000109bec5adf41c4ce2098e1ae52cb6ea1d2

SHA256
709858efcb89fec57e3838ce25df624d2452b457e25cc0484254e9987a5b1508

SHA512
e96c9d2458c25473ad408c9dbb9c4b4e41a425f5782c8055de1b48e3de88ea0e1edafe7e5ae0f5fe9cb72ca90a5a68fb4b8e9a77755a3dbbf2bdaa0d1947a3d1

Download Submit
C:\Windows\SysWOW64\Okailj32.exe

Filesize
112KB

MD5
65ab3243821d3a4a67a42269f6786d37

SHA1
d4ae6f8de8b159e79af2c01b00a5f5e144c4daeb

SHA256
8a2d9cd5c5d93c08c2e11399341ecdd1b920ffd00ed7d27d210129521f257018

SHA512
08c9651f205c7dd989e3c24626029f87547a459733c1cfc9bf5c6b7ef7688b0d7d267fdc7edb3bba8d6c03f120630f9ad1e271afed6326aacf3612eea08336df

Download Submit
C:\Windows\SysWOW64\Okmpqjad.exe

Filesize
112KB

MD5
6a5b29133ecdea5858f4adc659c0521a

SHA1
52f4f679f107ea76da6aeb106464e3a11e5ed107

SHA256
6d63c78ad9a51c8a05cd8bd8454fe82422e5b3eda221c655a63ef5eafb7c5b4f

SHA512
f262213c1f213da03cc69c2708d684f4664632774343bbbc4ada6057891e90027160d3dde81f57a43f94793095b68dd5a4cf0bf791b3697f0bb9e5dc9ca0bea2

Download Submit
C:\Windows\SysWOW64\Okolfj32.exe

Filesize
112KB

MD5
b895b95da9f30e338abee2796e238011

SHA1
e81864469dcd6fd2bfd6cb632f9804edb8995359

SHA256
aeaf4a53559b37e53cd686ef0f600773d57ebc7b654d60972017c0ae7829ccb7

SHA512
8a426ca74d096a88ac2502c9c9efc2930c999f0697904f38c49fd80c44fe107b903f07c86ac6c669fc3922560deb0f088026f1332c5c06741712eab52e809777

Download Submit
C:\Windows\SysWOW64\Ookhfigk.exe

Filesize
112KB

MD5
93d3879334e897ccf0633d8f0f6cc947

SHA1
c172c8bb40fc6b15b40d42eaccbc86f4c91e5650

SHA256
744d5df4b31f337ac726dea79d6a3f4438e2dcf8d931cee2399bb309a3f37075

SHA512
9d5e95567f1167a5f67474025b1079da100a0cdc91919cba03e4dbde3ce9a1e0b722121e10acb2cf628b3f4d2c86afeba86fb9807b21904739ca61aea4b5fe0e

Download Submit
C:\Windows\SysWOW64\Oomelheh.exe

Filesize
112KB

MD5
31c74de52749423df9b7d26e3a14012d

SHA1
2bf00682a24c07b8a98ecc601072556e4d952f74

SHA256
90cadde8227535e6e43c06e455860ff80cc2db35bd4675894bf9b1ea8a7c0256

SHA512
9ae2ffca3ee862e2a1c961f4f7977e75871b344e5fbcfbe88d9e69844ae92a26d779cadf99c00ec146b60557a2f7e71273a791add0d24bb6eecba09ea9444cc2

Download Submit
memory/232-264-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/376-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/392-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/756-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1168-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1168-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1448-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1448-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1460-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1460-203-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1596-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1608-221-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1608-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1648-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1776-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1776-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2088-533-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2184-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2252-205-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2256-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2316-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2616-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2888-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2952-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3044-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3192-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3192-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3244-204-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3244-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3284-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3284-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3352-157-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3352-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3608-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3796-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3844-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3884-213-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3928-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3928-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4036-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4036-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4088-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4088-254-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4128-230-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4156-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4180-194-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4276-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4304-222-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4316-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4316-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4320-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4444-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4444-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4568-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4572-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4744-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4780-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4804-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4804-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5064-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5064-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5156-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5196-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5228-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5268-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5308-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5348-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5396-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5436-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5476-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5516-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5556-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5588-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5628-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5672-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5716-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5748-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5796-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5836-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5876-479-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5908-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5956-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5992-497-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/6028-503-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/6068-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/6116-515-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads