3dc0598e1905fa23a992f5a7236d43ea93fdbef532226d6c0f7db279bf721837

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1a326e5a0f8774aad7a6c8376f81320N.exe
Size

128KB
MD5

d1a326e5a0f8774aad7a6c8376f81320
SHA1

80cab1825b61129cc1b33fc491820623eec1e889
SHA256

3dc0598e1905fa23a992f5a7236d43ea93fdbef532226d6c0f7db279bf721837
SHA512

fce8583478270d9c05517ab70be46a206833cb599b29f63de8732a781845725e5ed06bd6363c436bd503cdec47efe7fb3278aceca75fe154e26109b938f200b8
SSDEEP

3072:EhORtR0XNGfMlhG2R3YXe5rx7cEGrhkngpDvchkqbAIQxgFM9MD:EozfMls2j5rx4brq2Ah1FM6D

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acdioc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dlqpaafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkcmjlio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aealll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkapelka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbefln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bipnihgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciknefmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkapelka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciknefmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlqpaafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d1a326e5a0f8774aad7a6c8376f81320N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbefln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clbdpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apgqie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bimach32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nefdbekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmanljfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aioebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clpgkcdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbdkhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofbdncaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odjmdocp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmeoqlpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpbpecen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aioebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clijablo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfjllnnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepineo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpbpecen.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Almanf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhofnpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpjompqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdebfago.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpgjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nefdbekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clbdpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Albkieqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbaehl32.exe

Executes dropped EXE 64 IoCs

pid	Process
1912	Loopdmpk.exe
3068	Ldkhlcnb.exe
3952	Mkepineo.exe
3988	Mekdffee.exe
2980	Mdnebc32.exe
3040	Medglemj.exe
4408	Mdghhb32.exe
2620	Nkapelka.exe
4544	Nefdbekh.exe
3328	Nkcmjlio.exe
1476	Nfiagd32.exe
3732	Nhgmcp32.exe
404	Ndnnianm.exe
4880	Nlefjnno.exe
4788	Nbbnbemf.exe
3620	Ndpjnq32.exe
4832	Nkjckkcg.exe
4800	Nbdkhe32.exe
3980	Odbgdp32.exe
4532	Ocdgahag.exe
5040	Ofbdncaj.exe
4988	Ookhfigk.exe
3600	Odgqopeb.exe
3056	Oomelheh.exe
1716	Odjmdocp.exe
4596	Okceaikl.exe
3208	Ofijnbkb.exe
440	Omcbkl32.exe
2792	Oflfdbip.exe
2772	Pmeoqlpl.exe
1436	Pcpgmf32.exe
4808	Pilpfm32.exe
4620	Pcbdcf32.exe
4376	Pfppoa32.exe
3024	Pkmhgh32.exe
2860	Pbgqdb32.exe
1316	Peempn32.exe
3608	Pkoemhao.exe
1976	Pbimjb32.exe
3564	Pfeijqqe.exe
4520	Pmoagk32.exe
1916	Pomncfge.exe
4828	Qejfkmem.exe
2876	Qmanljfo.exe
4992	Qckfid32.exe
2244	Qfjcep32.exe
2484	Qmckbjdl.exe
3500	Aflpkpjm.exe
3704	Amfhgj32.exe
2080	Apddce32.exe
112	Aealll32.exe
924	Apgqie32.exe
3448	Aioebj32.exe
4844	Almanf32.exe
3880	Acdioc32.exe
2472	Ammnhilb.exe
652	Acgfec32.exe
4104	Afeban32.exe
5084	Albkieqj.exe
5124	Bfhofnpp.exe
5160	Bejobk32.exe
5208	Bppcpc32.exe
5248	Bfjllnnm.exe
5292	Bpbpecen.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nkcmjlio.exe	Nefdbekh.exe
File created	C:\Windows\SysWOW64\Naapmhbn.dll	Ndnnianm.exe
File created	C:\Windows\SysWOW64\Jkiigchm.dll	Pfppoa32.exe
File opened for modification	C:\Windows\SysWOW64\Dbhlikpf.exe	Dpjompqc.exe
File created	C:\Windows\SysWOW64\Nkeoha32.dll	Bimach32.exe
File created	C:\Windows\SysWOW64\Midbjmkg.dll	Cdebfago.exe
File created	C:\Windows\SysWOW64\Ldbeqlcg.dll	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Mdghhb32.exe	Medglemj.exe
File created	C:\Windows\SysWOW64\Nefdbekh.exe	Nkapelka.exe
File opened for modification	C:\Windows\SysWOW64\Nfiagd32.exe	Nkcmjlio.exe
File opened for modification	C:\Windows\SysWOW64\Odjmdocp.exe	Oomelheh.exe
File created	C:\Windows\SysWOW64\Albkieqj.exe	Afeban32.exe
File opened for modification	C:\Windows\SysWOW64\Odbgdp32.exe	Nbdkhe32.exe
File opened for modification	C:\Windows\SysWOW64\Oomelheh.exe	Odgqopeb.exe
File created	C:\Windows\SysWOW64\Mjdmlonn.dll	Cdgolq32.exe
File opened for modification	C:\Windows\SysWOW64\Nbbnbemf.exe	Nlefjnno.exe
File created	C:\Windows\SysWOW64\Cbmlmmjd.exe	Clbdpc32.exe
File created	C:\Windows\SysWOW64\Dmkcpdao.exe	Dfakcj32.exe
File opened for modification	C:\Windows\SysWOW64\Dmkcpdao.exe	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Nffopp32.dll	Defheg32.exe
File created	C:\Windows\SysWOW64\Fbelak32.dll	Ciknefmk.exe
File created	C:\Windows\SysWOW64\Nfmcle32.dll	Ddcogo32.exe
File created	C:\Windows\SysWOW64\Pfeijqqe.exe	Pbimjb32.exe
File created	C:\Windows\SysWOW64\Ggociklh.dll	Apddce32.exe
File opened for modification	C:\Windows\SysWOW64\Afeban32.exe	Acgfec32.exe
File created	C:\Windows\SysWOW64\Bppcpc32.exe	Bejobk32.exe
File opened for modification	C:\Windows\SysWOW64\Cidgdg32.exe	Cdgolq32.exe
File opened for modification	C:\Windows\SysWOW64\Mdnebc32.exe	Mekdffee.exe
File created	C:\Windows\SysWOW64\Gofndo32.dll	Bpgjpb32.exe
File created	C:\Windows\SysWOW64\Mekdffee.exe	Mkepineo.exe
File opened for modification	C:\Windows\SysWOW64\Almanf32.exe	Aioebj32.exe
File created	C:\Windows\SysWOW64\Cefnemqj.dll	Acdioc32.exe
File opened for modification	C:\Windows\SysWOW64\Pfeijqqe.exe	Pbimjb32.exe
File created	C:\Windows\SysWOW64\Apgqie32.exe	Aealll32.exe
File opened for modification	C:\Windows\SysWOW64\Bliajd32.exe	Bikeni32.exe
File opened for modification	C:\Windows\SysWOW64\Ddcogo32.exe	Dmifkecb.exe
File created	C:\Windows\SysWOW64\Qmanljfo.exe	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Dmabgl32.dll	Bbcignbo.exe
File created	C:\Windows\SysWOW64\Bbefln32.exe	Bpgjpb32.exe
File created	C:\Windows\SysWOW64\Conllp32.dll	Pomncfge.exe
File created	C:\Windows\SysWOW64\Ebldoh32.dll	Dmifkecb.exe
File opened for modification	C:\Windows\SysWOW64\Dpjompqc.exe	Dmkcpdao.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dpllbp32.exe
File created	C:\Windows\SysWOW64\Kchhih32.dll	Mekdffee.exe
File opened for modification	C:\Windows\SysWOW64\Nkapelka.exe	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Kkacdofa.dll	Odgqopeb.exe
File created	C:\Windows\SysWOW64\Apddce32.exe	Amfhgj32.exe
File opened for modification	C:\Windows\SysWOW64\Apgqie32.exe	Aealll32.exe
File created	C:\Windows\SysWOW64\Defheg32.exe	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Pdgfaf32.dll	Nfiagd32.exe
File created	C:\Windows\SysWOW64\Mfppnk32.dll	Qfjcep32.exe
File created	C:\Windows\SysWOW64\Mdphmfph.dll	Bppcpc32.exe
File opened for modification	C:\Windows\SysWOW64\Okceaikl.exe	Odjmdocp.exe
File created	C:\Windows\SysWOW64\Pcpgmf32.exe	Pmeoqlpl.exe
File created	C:\Windows\SysWOW64\Pbgqdb32.exe	Pkmhgh32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoagk32.exe	Pfeijqqe.exe
File opened for modification	C:\Windows\SysWOW64\Qckfid32.exe	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Ndpjnq32.exe	Nbbnbemf.exe
File opened for modification	C:\Windows\SysWOW64\Pbgqdb32.exe	Pkmhgh32.exe
File created	C:\Windows\SysWOW64\Clpgkcdj.exe	Cibkohef.exe
File created	C:\Windows\SysWOW64\Fiinbn32.dll	Dmkcpdao.exe
File opened for modification	C:\Windows\SysWOW64\Ocdgahag.exe	Odbgdp32.exe
File created	C:\Windows\SysWOW64\Okceaikl.exe	Odjmdocp.exe
File opened for modification	C:\Windows\SysWOW64\Amfhgj32.exe	Aflpkpjm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5912	5560	WerFault.exe	194

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpjnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipnihgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmifkecb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odbgdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddqbbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookhfigk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mekdffee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoemhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhofnpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clpgkcdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defheg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgqopeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomelheh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Albkieqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bliajd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlqpaafg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbnbemf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibkohef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbaehl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loopdmpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjcep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dibdeegc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdnebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbimjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdgolq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmkcpdao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbgqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfeijqqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cifdjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbmlmmjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhgmcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkapelka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhlikpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfjllnnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciknefmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjompqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbdkhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgqie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdgahag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clbdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldkhlcnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcbkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammnhilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afeban32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbefln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmeoqlpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkepineo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfiagd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpbpecen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejobk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbcignbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlhgpag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nefdbekh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pilpfm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d1a326e5a0f8774aad7a6c8376f81320N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odbgdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiinbn32.dll"	Dmkcpdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndnnianm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbbnbemf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbndhppc.dll"	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggociklh.dll"	Apddce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmkcpdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlefjnno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apgqie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afeban32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkcmjlio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapijd32.dll"	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmccbngq.dll"	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odemep32.dll"	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmabgl32.dll"	Bbcignbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nefdbekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbbel32.dll"	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdebfago.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofndo32.dll"	Bpgjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	d1a326e5a0f8774aad7a6c8376f81320N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldkhlcnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhodebp.dll"	Mkepineo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkapelka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbdkhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmeoqlpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Albkieqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfhofnpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffcf32.dll"	Loopdmpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mekdffee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bliajd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cidgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfomcn32.dll"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Clbdpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaohckm.dll"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odbgdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgilmo32.dll"	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmidc32.dll"	Cpifeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Defheg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Loopdmpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naapmhbn.dll"	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpldj32.dll"	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdgolq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 1912	4036	d1a326e5a0f8774aad7a6c8376f81320N.exe	91
PID 4036 wrote to memory of 1912	4036	d1a326e5a0f8774aad7a6c8376f81320N.exe	91
PID 4036 wrote to memory of 1912	4036	d1a326e5a0f8774aad7a6c8376f81320N.exe	91
PID 1912 wrote to memory of 3068	1912	Loopdmpk.exe	92
PID 1912 wrote to memory of 3068	1912	Loopdmpk.exe	92
PID 1912 wrote to memory of 3068	1912	Loopdmpk.exe	92
PID 3068 wrote to memory of 3952	3068	Ldkhlcnb.exe	93
PID 3068 wrote to memory of 3952	3068	Ldkhlcnb.exe	93
PID 3068 wrote to memory of 3952	3068	Ldkhlcnb.exe	93
PID 3952 wrote to memory of 3988	3952	Mkepineo.exe	94
PID 3952 wrote to memory of 3988	3952	Mkepineo.exe	94
PID 3952 wrote to memory of 3988	3952	Mkepineo.exe	94
PID 3988 wrote to memory of 2980	3988	Mekdffee.exe	95
PID 3988 wrote to memory of 2980	3988	Mekdffee.exe	95
PID 3988 wrote to memory of 2980	3988	Mekdffee.exe	95
PID 2980 wrote to memory of 3040	2980	Mdnebc32.exe	96
PID 2980 wrote to memory of 3040	2980	Mdnebc32.exe	96
PID 2980 wrote to memory of 3040	2980	Mdnebc32.exe	96
PID 3040 wrote to memory of 4408	3040	Medglemj.exe	97
PID 3040 wrote to memory of 4408	3040	Medglemj.exe	97
PID 3040 wrote to memory of 4408	3040	Medglemj.exe	97
PID 4408 wrote to memory of 2620	4408	Mdghhb32.exe	98
PID 4408 wrote to memory of 2620	4408	Mdghhb32.exe	98
PID 4408 wrote to memory of 2620	4408	Mdghhb32.exe	98
PID 2620 wrote to memory of 4544	2620	Nkapelka.exe	99
PID 2620 wrote to memory of 4544	2620	Nkapelka.exe	99
PID 2620 wrote to memory of 4544	2620	Nkapelka.exe	99
PID 4544 wrote to memory of 3328	4544	Nefdbekh.exe	101
PID 4544 wrote to memory of 3328	4544	Nefdbekh.exe	101
PID 4544 wrote to memory of 3328	4544	Nefdbekh.exe	101
PID 3328 wrote to memory of 1476	3328	Nkcmjlio.exe	103
PID 3328 wrote to memory of 1476	3328	Nkcmjlio.exe	103
PID 3328 wrote to memory of 1476	3328	Nkcmjlio.exe	103
PID 1476 wrote to memory of 3732	1476	Nfiagd32.exe	104
PID 1476 wrote to memory of 3732	1476	Nfiagd32.exe	104
PID 1476 wrote to memory of 3732	1476	Nfiagd32.exe	104
PID 3732 wrote to memory of 404	3732	Nhgmcp32.exe	105
PID 3732 wrote to memory of 404	3732	Nhgmcp32.exe	105
PID 3732 wrote to memory of 404	3732	Nhgmcp32.exe	105
PID 404 wrote to memory of 4880	404	Ndnnianm.exe	107
PID 404 wrote to memory of 4880	404	Ndnnianm.exe	107
PID 404 wrote to memory of 4880	404	Ndnnianm.exe	107
PID 4880 wrote to memory of 4788	4880	Nlefjnno.exe	108
PID 4880 wrote to memory of 4788	4880	Nlefjnno.exe	108
PID 4880 wrote to memory of 4788	4880	Nlefjnno.exe	108
PID 4788 wrote to memory of 3620	4788	Nbbnbemf.exe	109
PID 4788 wrote to memory of 3620	4788	Nbbnbemf.exe	109
PID 4788 wrote to memory of 3620	4788	Nbbnbemf.exe	109
PID 3620 wrote to memory of 4832	3620	Ndpjnq32.exe	110
PID 3620 wrote to memory of 4832	3620	Ndpjnq32.exe	110
PID 3620 wrote to memory of 4832	3620	Ndpjnq32.exe	110
PID 4832 wrote to memory of 4800	4832	Nkjckkcg.exe	111
PID 4832 wrote to memory of 4800	4832	Nkjckkcg.exe	111
PID 4832 wrote to memory of 4800	4832	Nkjckkcg.exe	111
PID 4800 wrote to memory of 3980	4800	Nbdkhe32.exe	112
PID 4800 wrote to memory of 3980	4800	Nbdkhe32.exe	112
PID 4800 wrote to memory of 3980	4800	Nbdkhe32.exe	112
PID 3980 wrote to memory of 4532	3980	Odbgdp32.exe	113
PID 3980 wrote to memory of 4532	3980	Odbgdp32.exe	113
PID 3980 wrote to memory of 4532	3980	Odbgdp32.exe	113
PID 4532 wrote to memory of 5040	4532	Ocdgahag.exe	114
PID 4532 wrote to memory of 5040	4532	Ocdgahag.exe	114
PID 4532 wrote to memory of 5040	4532	Ocdgahag.exe	114
PID 5040 wrote to memory of 4988	5040	Ofbdncaj.exe	115

C:\Users\Admin\AppData\Local\Temp\d1a326e5a0f8774aad7a6c8376f81320N.exe
"C:\Users\Admin\AppData\Local\Temp\d1a326e5a0f8774aad7a6c8376f81320N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\SysWOW64\Loopdmpk.exe
  C:\Windows\system32\Loopdmpk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\SysWOW64\Ldkhlcnb.exe
    C:\Windows\system32\Ldkhlcnb.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\Mkepineo.exe
      C:\Windows\system32\Mkepineo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3952
    - - C:\Windows\SysWOW64\Mekdffee.exe
        
        C:\Windows\system32\Mekdffee.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
      - C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Nefdbekh.exe
        
        C:\Windows\system32\Nefdbekh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Nlefjnno.exe
        
        C:\Windows\system32\Nlefjnno.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Nbbnbemf.exe
        
        C:\Windows\system32\Nbbnbemf.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Ocdgahag.exe
        
        C:\Windows\system32\Ocdgahag.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:112
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\Almanf32.exe
        
        C:\Windows\system32\Almanf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Acdioc32.exe
        
        C:\Windows\system32\Acdioc32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3880
        
        C:\Windows\SysWOW64\Ammnhilb.exe
        
        C:\Windows\system32\Ammnhilb.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\Acgfec32.exe
        
        C:\Windows\system32\Acgfec32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:652
        
        C:\Windows\SysWOW64\Afeban32.exe
        
        C:\Windows\system32\Afeban32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Albkieqj.exe
        
        C:\Windows\system32\Albkieqj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Bfhofnpp.exe
        
        C:\Windows\system32\Bfhofnpp.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Bppcpc32.exe
        
        C:\Windows\system32\Bppcpc32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Bfjllnnm.exe
        
        C:\Windows\system32\Bfjllnnm.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Bpbpecen.exe
        
        C:\Windows\system32\Bpbpecen.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Bikeni32.exe
        
        C:\Windows\system32\Bikeni32.exe
        66⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Bimach32.exe
        
        C:\Windows\system32\Bimach32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Bpgjpb32.exe
        
        C:\Windows\system32\Bpgjpb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Bbefln32.exe
        
        C:\Windows\system32\Bbefln32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\Bipnihgi.exe
        
        C:\Windows\system32\Bipnihgi.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\Cpifeb32.exe
        
        C:\Windows\system32\Cpifeb32.exe
        73⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Cibkohef.exe
        
        C:\Windows\system32\Cibkohef.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Windows\SysWOW64\Cdgolq32.exe
        
        C:\Windows\system32\Cdgolq32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        78⤵
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Clbdpc32.exe
        
        C:\Windows\system32\Clbdpc32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Cbmlmmjd.exe
        
        C:\Windows\system32\Cbmlmmjd.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Cifdjg32.exe
        
        C:\Windows\system32\Cifdjg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        83⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Dmifkecb.exe
        
        C:\Windows\system32\Dmifkecb.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5792
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Dlqpaafg.exe
        
        C:\Windows\system32\Dlqpaafg.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 220
        99⤵
        Program crash
        
        PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5560 -ip 5560
1⤵
PID:5776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:8
1⤵
PID:6056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Apgqie32.exe

Filesize
128KB

MD5
b84b2981efb8b4d9005592905c01780b

SHA1
d437f331b149f43abd01afda54516152d82e2f20

SHA256
eb7b3f71c3aa4943047d37af02a1dcb0a7f2b357b04281ad5917cbc29fd71c22

SHA512
00dad7105b9c9cb045024d10b0a985e322464cabee2cffb6a7ca8136f9a43834df2e55f96477157c603f9e8c7adb633f80603964a02b00819fb6f97c38c43a07

Download Submit
C:\Windows\SysWOW64\Bppcpc32.exe

Filesize
128KB

MD5
74001f90a7a2c84c1af0576275ae15d2

SHA1
e0e2e78275469d96a9e8b5128c6f9c386081258f

SHA256
c3b3e98186e8d9469c674573b970cbf14cb1516a23b008685f4956f5d32b3ef2

SHA512
699397e9dcbafb6f64078f311139ef4a1091f4c03082af0b8067b0943ee8d1007900669de0441bf63cea676ff99eda2f64662bbc99c21df15a091e9625d3c00e

Download Submit
C:\Windows\SysWOW64\Cbmlmmjd.exe

Filesize
128KB

MD5
ea894fcdd524c1f423da57d9349f3f76

SHA1
3dbbed2867be171e292fac54013f28508e5de499

SHA256
2b0a2e6ea56c68fccbabc7db34c1350a6c026f94d0f8d19bcffa3d651a0d57d9

SHA512
9609a8c5380c9a5549415330fef2c4c182ffd0167a163ec8c376e836a634ec136663dc34b76c1d8059aaacfff530643c3c1c9fb4ddc19aca435614c772578144

Download Submit
C:\Windows\SysWOW64\Ciiaogon.exe

Filesize
128KB

MD5
d5269744bb0b2fb68afbd3bece3828de

SHA1
f697253289085f58385238c91e0e0ed2481d4c28

SHA256
39cffde74a649b9249404dc4bc43e8f62ee6c283e30c21895f4276cc3daf1f49

SHA512
732576e75d1ed8a59cb0a9651c827c89ee8949a30a8325e1f57a7196682d7d2b894d9824c3bafde8de50a8c9880446eb0a831a6a3f48f5f22d24eb34af7002dc

Download Submit
C:\Windows\SysWOW64\Kchhih32.dll

Filesize
7KB

MD5
dea132d6c2686c05fe17d1068fe67707

SHA1
0959f2bbb368dffe1d9e323faf308dd638d92c9b

SHA256
a5d65d524af5aa076220904c07c2817fac9934056e8099bbd0f0b4c9b9dabf87

SHA512
027ab116ea55db04d7f5683b89b27cfa5b3c4cd3d5ca46402e307550b88578745a8a70523a2b404a5b19a32caafd533dcc9751f0d38f2194f972814175fd65cf

Download Submit
C:\Windows\SysWOW64\Ldkhlcnb.exe

Filesize
128KB

MD5
ec56568837e5b9ddf1712ab2e0c64e32

SHA1
2d570b18775becf7bd80e3171d1e3128b02d3a30

SHA256
69ad5d9482001c6ef6012df74f8cd3947555cd02202545613ba1e7da628169b7

SHA512
3c84197ed3e109c38f14bd0836c00ff3e42d6555b23b6498d0290d1845492c4a5e20a06e6990a65e38824d1fb53eb0a7048efc442f1eb748c83250d95d7cbcbc

Download Submit
C:\Windows\SysWOW64\Loopdmpk.exe

Filesize
128KB

MD5
7720b7fed1957a3a23fcbf10b6c18064

SHA1
203a85a24186eb6ee38ef274faa631606d33cd5b

SHA256
2caf4687b950349910720f9417d0c0233740b6c92ae90031affebbf5da9a2ed5

SHA512
7807cdb2f87646b3e7747ae19f63506e05899b462d4dc348da811a38263b2a295ee32c0019644ae3279f2752369da2775fba4863dc90c07c9441e6a40df0e645

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
128KB

MD5
a5ecd6141ee5cb8f5acad88ded611586

SHA1
8cf2548b7b2b37b1148d9edcd18c17e0f438ce68

SHA256
8709306f3e8e71a494cdca438fcb3c61ceee8f63eaa88694de7ef8fa67cc6721

SHA512
ec695a3c851892d790ed55bd1e950aaa116407264572803d88b111d87583f258c23edf464e09e7b77e0482352c3f99282f6e4ada506ab2e252370aae2574db3c

Download Submit
C:\Windows\SysWOW64\Mdnebc32.exe

Filesize
128KB

MD5
b194aeac0bfd4d53f85d56946e76b362

SHA1
bfe0dd401293d1b8729e55d3cae3faac3e361140

SHA256
c46b5e6e0ae5cfd85ed3ac013ef845687f9d50ab05863662df95f0c4bbb00407

SHA512
bcbbec603a50138813242124c3854a18ace1abca0460344e297f160b530a23346fca9d9213ef6f1c14de8c8fc2b7b3fb026135dac48c825560896e805dae1153

Download Submit
C:\Windows\SysWOW64\Medglemj.exe

Filesize
128KB

MD5
3d585c393d0b16ef7675121eeeaddd67

SHA1
bc8aa1839a2b64b3bc2047681fff3b9b418342d6

SHA256
f09eed14ac9e042e2b1a27e87cbb320a51d338ae5b0e003ea76374a61468495a

SHA512
5ee29b82355f0cd52b5f3c00421a9955763d854b6d4e4a9d5fc256572cddc4276f8d752547c34bf5429bdcf0ee8ae61321de60d62a47f477d50c5ce33f753c92

Download Submit
C:\Windows\SysWOW64\Mekdffee.exe

Filesize
128KB

MD5
d875bc90c2343c876443a8a8a42e72fc

SHA1
2e458f73f0afaa7905d0f16d3013e4d73109a267

SHA256
dece58c5190099383603a46309a10429b8e0eaee4969fa5529a753763618be93

SHA512
a5bf33e38e8c0376cdf68063cbe41fba4c197eca3d363502ab8769f82f0b593b34aa930ffea9199e3de034f452158f458c08d40868e2eeabc85d545c58ed2ed5

Download Submit
C:\Windows\SysWOW64\Mkepineo.exe

Filesize
128KB

MD5
84e8c332c8db2a3df1630026b267f68f

SHA1
dcbae6826cf535decb45583d05132d452fd01c55

SHA256
e78a10c234f99ba5537b0b1dde5306e138c26de8775338ba69b90d73ef485569

SHA512
a955b255a283909334e18b97d197d7762b4205cd313700907085a79fe3d0d0f65a490422b5697be75dfb423d6df996fd116cf7a57c5236289664961612906f70

Download Submit
C:\Windows\SysWOW64\Nbbnbemf.exe

Filesize
128KB

MD5
56072261275f8427ec0598fed14aa1d6

SHA1
3b228ec740f1913355d3ea253d80540582ce01d0

SHA256
064a3bd2f088ba0a48684e0ada2c5d7f8e47345c11c18709cade45703236038b

SHA512
e35c3f3fd83bad77b3fe55e122ae260cd8ce18c2a47e970d48f2523911c07c49a6fe89882a093aaaece36bf55bce69265ea22cacae489e0c9e8e7d4de005aac9

Download Submit
C:\Windows\SysWOW64\Nbdkhe32.exe

Filesize
128KB

MD5
7b986114287af0234bdb98321b2c5ae0

SHA1
b3aaf0fd2d1aa9e3f93e7dae53810e1d67eb2c8f

SHA256
01b2487001c8c985db43a638331a150fa62149659cfb140fb4a0ba6d057cb19f

SHA512
e317dbc427debbe197dbecf490e3c186f34fbb092cd87de079e96115d43cfa732dd6283c142c39846905df12378165f697a0214f543bcd6906ef84b869738dad

Download Submit
C:\Windows\SysWOW64\Ndnnianm.exe

Filesize
128KB

MD5
821706b4627cae3c572f4316db72e92e

SHA1
2a656fae4cb3215e68e9b187f18772aacded2a01

SHA256
abd44f40f3c1643cf7c0c52cf185672a49ce85fc1c831f4f3ae8dd94c8c5784e

SHA512
adca4729ea832011b64d4f39a036187b31adcd9cb9e2c32073b677d03bc9ce4f43f1bf0e0ebf30382965b96152328c74b47ee2185b79689d6b739a05cb40650d

Download Submit
C:\Windows\SysWOW64\Ndpjnq32.exe

Filesize
128KB

MD5
6512b67e500e0a10f0ce4185182efb64

SHA1
5d2412afb3ef6e04e396a67c1e8501c1e4e56556

SHA256
041aec668f046c49c46071673a75ae4279223e45757d86d6b3ba172012dfd175

SHA512
66aea5df52b2f7d61b92127d1558662949a409d357d6cab83132996c67eb3a91d70dae5aa32cbaaa3ae89dc26bafe47079dec0646131b14afccb3eb64dc0d3e4

Download Submit
C:\Windows\SysWOW64\Nefdbekh.exe

Filesize
128KB

MD5
823792e09892c2632f5c448f9075b3fd

SHA1
055fe3dc268f6cf2c1e79ceb446e3e04772df7e2

SHA256
71f5b0fa10af6cece679fd91a84d43868d7bf39c2ccaf2485fed756367d6f487

SHA512
8d01785928f020a30e7be0e2a63b5b8bfad2eaa9fb6ebe6fe7fc7b0566c86ca16fb627da12ede9ab0aa6abaddd91a43543d8c47a2819d08fe6a5f3138c5a7d91

Download Submit
C:\Windows\SysWOW64\Nfiagd32.exe

Filesize
128KB

MD5
fc0391ca1cc59b053345c88f5e194cec

SHA1
d6a987293860f017246a43134637990f5527f230

SHA256
65434ba6452d6355514e3c5557cab370d89b78a9cb0062daec3078d0ec9b07bb

SHA512
5cd5af65ee5c3f1cad3815a90eb968501570fbe48d3093d4dc3f07f5ad3ceb431310f589913eb50e8dfbb3cd7a3b8a037461f5ba9a664419084468465b1f7354

Download Submit
C:\Windows\SysWOW64\Nhgmcp32.exe

Filesize
128KB

MD5
55f0aedcb948e01da48c206c7c06906a

SHA1
3eb12857cb65e3b3caecdc7eb47c2df05e661ca6

SHA256
a0d8eedfc3b38be0914bf8c47bf7735d0b0373f4a80138907ddea2fe77661d43

SHA512
48e529b06bb46ef1011bf365ee32b229805abe98cd1b268424f931a5768e841ea54624edac8b9beeb38a731761010e2fd70b929883a2443b61b2a11712c6e183

Download Submit
C:\Windows\SysWOW64\Nkapelka.exe

Filesize
128KB

MD5
f4cd57bb76efe04a90bc4dc64199104e

SHA1
7a860ba9255cce2b0bb98f013dd53f99969ec4f3

SHA256
cce05b2acb190fb545c3bbf0809e013d97165e2b7e005ecbcf3ecd238a47cee5

SHA512
dbc52c6cb35ef052a31679238ae5786607184c0307e36583e5f48bd971621d21c722d6f1b5b0f474b1e78ebb863635a86df30df906663bd73c4a232bc202821f

Download Submit
C:\Windows\SysWOW64\Nkcmjlio.exe

Filesize
128KB

MD5
cff184cc4a4254d2c7d9d2a956060e5c

SHA1
c3c6d228e9bd02270d55a7a74c59d161d36f4143

SHA256
b5cd9c1743205b1394d5f95c000e7f608e9277c0e748b964ba83d51f48e231f7

SHA512
5c5d60988750382ac5dfd6a4ee4a0966fc1533a7d7e22533990caf2637be9b68deb0f5e68986a17fc9fbb32791c9b5219a8014ecb0de7b4d860418a28150e593

Download Submit
C:\Windows\SysWOW64\Nkjckkcg.exe

Filesize
128KB

MD5
e815150f7f55bce8ad862a9173af5c6c

SHA1
08b53eb8696a7238622a05e215f7418e91429d71

SHA256
ca3cfc8744a818c621f5def406087ff83be052bab234600c29ec40e33f9ed4e6

SHA512
120b4b4785a2280c2adf3cc8a3a57ec1b71adc1e6129a3af9156294b11e9af50a997ca8e92c54124e80b0fadd8d897f671d74a99bd690b60a5b05569488b5332

Download Submit
C:\Windows\SysWOW64\Nlefjnno.exe

Filesize
128KB

MD5
66de2f5fd9a6610bf5fa4e15bb68db3a

SHA1
9fd28dde41c37baf973a26d4fc1a95b7b786c98c

SHA256
181eaa256a4d90cd482a81c89f2ff40abf5e3e51a1abe343d6bbbed4ac971044

SHA512
d750a505c13d91425bcb36bea3bcebcd6b309a639b39e4ea72b1735cba38ae1e6f1f5985d57d381a5209c99bb0fce049185043cc10363a9de6fe56fb7ddb11d4

Download Submit
C:\Windows\SysWOW64\Ocdgahag.exe

Filesize
128KB

MD5
d3f22121c5d9205f0ab2eabecee36fbb

SHA1
e1a8b6d53a5d080ba3d9ea199acd967efefd8fe7

SHA256
b057fbfb0db70acebf486fcca638568d008a56282cf7bcf636c484c36cbffc9a

SHA512
272727803a807fafdff9bed0ac6b37056d22c8281b8adb194de65979827ab071e1b368c2d7dcebd5527b2816485dff32685941cdd68ddf87264198214168c2d8

Download Submit
C:\Windows\SysWOW64\Odbgdp32.exe

Filesize
128KB

MD5
6057cff0bb44881d1e3f4c721de6ae16

SHA1
042a25fbf065628412261318d28aa7f67fc5a968

SHA256
b372b485ca1fa489b2c7fb719f2c43d0642f7173619283b1f4bb3144f2536f7c

SHA512
e8a481002c3c8fa8c51bb48cb991551a59c99bacd09d8fb88c34278a218b9cac18948bfb240ce362163a50e38b181ce694026b6723d74b8c8081ac3d891b9f9b

Download Submit
C:\Windows\SysWOW64\Odgqopeb.exe

Filesize
128KB

MD5
0b1949d4a2cc14c165c894f5dbddbba7

SHA1
a95a1068fddd2ea3ef567da34c89a9aa8d21592a

SHA256
80172930aee7a602ae4f128f4ceb2682d5a0275d8bf57834a3948c800d65d0b5

SHA512
7dbddcc87410d39cf2d44b8e43dca72915aeefd1899ea4a5e2ba28d18731caab2c4d8a0433a1687c89936a079bdcd0f3af74164c40da9600603a840c0467e6d6

Download Submit
C:\Windows\SysWOW64\Odjmdocp.exe

Filesize
128KB

MD5
2486774fb420059711addb5aef6b102e

SHA1
733c4dc14883f3359dda5f1d979b20cc58147bc0

SHA256
ea9f59b0932b1d9dad6a94781c11f5c86198185367e69abc01676ca25bc7f70c

SHA512
6213231dd81ba8079fb3c302d0f56e7eee2571cb39839d5b60abc758ad6e1065e2a69d3499914dac5a0c651218501406694e49829573a6bcbf9c3c3eeb3ef447

Download Submit
C:\Windows\SysWOW64\Ofbdncaj.exe

Filesize
128KB

MD5
9a48c9d528026dda463ae1d60248bc4b

SHA1
0b1b0ec33c3adc68d45518419ea9ffeed0125b82

SHA256
aeada67cb98454b0d1b5c87b8d467bdf01318fcd0af845dfa5d8a8b53c3857e0

SHA512
058ec176cde9a8aa36680ed17512e2098c046e83997cb14c0487efc8cb81a29d047b99200840811e6e7886ace74596457a5a67f2b5a4410fffd28c04691dd286

Download Submit
C:\Windows\SysWOW64\Ofijnbkb.exe

Filesize
128KB

MD5
64d809997a70393521def65e93081ba5

SHA1
12fd5502510ecf4f0e4869b2eff0f569a3c76088

SHA256
869ff5768eef7957472314281498fa1521311d79e2e30cc8bc9e8c39869381d1

SHA512
89ccf6a3682d424350fceee44bb49b6807d572e9523fe85d31fca5c735cee468efeaedae271e5d4a14929bcefdee4fbcc7f67085c3a6bebc8cd4abe121aeb19c

Download Submit
C:\Windows\SysWOW64\Oflfdbip.exe

Filesize
128KB

MD5
7c44355f1f0791d872bef776aaaee8f1

SHA1
2bc284c2aafba768a44d03b19360eb0eafc917f6

SHA256
3a95ee379fda83326c695ecff05d3ade66db1b155827fd273f15a494d720d41a

SHA512
7ee0ac434d84d43ef54da3d7c497d28a71726bf469992917e95ccc94e8d07199f34056fc873cca03bc32b39a446a17723a88af970e2162f02b48387b5704c3d2

Download Submit
C:\Windows\SysWOW64\Okceaikl.exe

Filesize
128KB

MD5
1dba23e702bb8648ef17ff74ddeeef46

SHA1
7a281a877473ea17228280363a3508bab73aa251

SHA256
772e8c1837d8ffcea95ff3a1613ee5fbd872a772379ca717553fa5652376c558

SHA512
8e90a44105f0c52d75cde8bfc998c0044b43c464feedc9010b1b6aebbd7629895f0a626641b7c6d07bc8dbc8f6f8ade43481a0b2cc2248c524d56fb12a313566

Download Submit
C:\Windows\SysWOW64\Omcbkl32.exe

Filesize
128KB

MD5
9c94bfacf15fe50c24294ae029f3b6e9

SHA1
e970fe7d572c0da36c219acc10fd021875294cad

SHA256
db196afc5db360fc126b25a549013550daebe1e4ce28819d5053afb255cd2695

SHA512
c0453e3337a79d2bef8b7bd36f102785d02be37e1b2ef3b958228fb3d2d1dc0ad1badf13da8d805863b672250af2e8982867edf0788719d4e49d9ece3f358f38

Download Submit
C:\Windows\SysWOW64\Ookhfigk.exe

Filesize
128KB

MD5
16afdbd724b4c4778c52ca17ca926466

SHA1
de6f731e7ec82c437733a5738ceac9e456391f55

SHA256
3728474360f0a3bab83ed19146536a462adc3b23ddfaa4a825bd33278a381f05

SHA512
b9fb0c72f68ea9750bc0c85a951a62ee715027187e4032b83330b35acff6fba4a658272a92ea81dc2d12649c2d4e11a8aecb8ee85497481dc3a7ce960168ec76

Download Submit
C:\Windows\SysWOW64\Oomelheh.exe

Filesize
128KB

MD5
879adddff985bbbb6dd039d5a13c014a

SHA1
84ebc7adb2dfef2c4096237f63e3d8568e65b07b

SHA256
ba4bd76382dfdb2dca35543009c0f99b1abe16f5b79b1ca0e58edc264505abfe

SHA512
ca81b4fe8e359209cc1194ddd2d71f009b25ecb304088c0bb58efa189b331614e87302dc36db1061c810bd3234ad3f3542ef6f0beb99c07f323edc1aaf03399b

Download Submit
C:\Windows\SysWOW64\Pcpgmf32.exe

Filesize
128KB

MD5
3080d37a27b952c003669cadc2648332

SHA1
dee221259fbaf0b240561f3b8eabc81c937241ce

SHA256
28ec5a4e6b47a9cb66979e5da8e9db6900ce9fea72aef1333fbc5314bf34a7f8

SHA512
c087428a698749789e5f7c022137307551521b9f2f49e03d6af6c870a65b11e2bbd1a00bd014492a4a75699c9d3206a50b25025e386650eb8d01542ed377c417

Download Submit
C:\Windows\SysWOW64\Pilpfm32.exe

Filesize
128KB

MD5
aeb7de3b607162a444c9dfc101af3670

SHA1
43257558a6173e261d163192bafd5081bf789231

SHA256
74efd125b8b2ccc8a9f0e5505d738bdc0929e790234e7c071fd9c172129804e8

SHA512
d3e33e8a0ba13b0fbd0c98538574399e0161e2c0e953a852a0c51920520a7521b520d4b5b44b067af8ac64d0ab8285e33c898381717a71370ba2e24adc07302d

Download Submit
C:\Windows\SysWOW64\Pmeoqlpl.exe

Filesize
128KB

MD5
6383cc8d87f7128bbd7c2fb77f23b0da

SHA1
8656fdfffc3eeef34c2ca574097d388087a413e6

SHA256
42883a74c5d2ecac46ea8378d06c5891b6632d3aae7b7a59c97bc4cde911855c

SHA512
1094b6657bd29662dd4f20d18503b73f272f19bde73e37f97b9546a769da197e23746ff0d95276a8412e1d6b3a9d8a06c1a4a8caf778156a0263d23c0bc6cb06

Download Submit
memory/112-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/404-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/440-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/652-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/924-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1316-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1436-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1476-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1716-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1912-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1912-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1916-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1976-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2080-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2244-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2472-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2484-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2620-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2792-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2860-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2876-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2980-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2980-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3024-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3040-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3040-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3056-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3068-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3068-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3208-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3328-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3448-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3500-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3564-308-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3600-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3608-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3620-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3704-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3732-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3880-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3952-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3952-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3980-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3988-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3988-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4036-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4036-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4104-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4376-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4408-60-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4408-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4520-314-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4532-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4544-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4596-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4620-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4788-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4800-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4808-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4828-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4832-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4844-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4880-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4988-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4992-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5040-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5084-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5124-428-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5160-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5168-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5208-440-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5216-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5248-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5280-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5292-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5324-594-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5356-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5408-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5464-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5504-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5544-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5584-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5624-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5664-499-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5704-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5744-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5784-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5824-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5864-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5904-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5944-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5984-545-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6032-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6076-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6120-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads