132ceca8b87939a7a52393e37b92d6d0d05397ec13f41ae508dad5ddeca0fe33

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

767cea2c78aaf1e4ffe2a74473e1de30N.exe
Size

237KB
MD5

767cea2c78aaf1e4ffe2a74473e1de30
SHA1

82e04c53eda8309746d9e61220cd1e4cd59ac499
SHA256

132ceca8b87939a7a52393e37b92d6d0d05397ec13f41ae508dad5ddeca0fe33
SHA512

29f65edb665320bd76b8bcc57c6ebe714bb224b025c3f6a3cda4a8799021837b870a37a2783b4dee454c4684b11c650b5f694a0f51bd3a2e77dc667e9fba3a34
SSDEEP

3072:s+cN/LT+RCdQ/lAUbj8Nq75Sq4iqnAUUjE02ZoL9snKKq:s3N/LaB/lXj8U5ihYjEToZY8

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfncia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkjjdmaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Madbagif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acppddig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medglemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mociol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohbjkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfpghccm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odgqopeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lehhqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mohbjkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkeipk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piolkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mclhjkfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mclhjkfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mociol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Napameoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlefjnno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjckkcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohncdobq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mafofggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noaeqjpe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnnianm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhnjna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomelheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mepnaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhpgca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncjdki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qejfkmem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nomlek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohncdobq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lehhqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhbciqln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhlfoodc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mafofggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nomlek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlemcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mllccpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nakhaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnjbdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfkpjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medglemj.exe

Executes dropped EXE 64 IoCs

pid	Process
784	Lcjldk32.exe
3024	Lehhqg32.exe
3252	Mkepineo.exe
4284	Mclhjkfa.exe
64	Mekdffee.exe
4352	Mhiabbdi.exe
2664	Mlemcq32.exe
4028	Mociol32.exe
2472	Mcoepkdo.exe
2704	Memalfcb.exe
4744	Mdpagc32.exe
4432	Mlgjhp32.exe
5064	Mkjjdmaj.exe
4812	Mcabej32.exe
3656	Madbagif.exe
3536	Mepnaf32.exe
916	Mhnjna32.exe
4528	Mlifnphl.exe
5116	Mohbjkgp.exe
4636	Mafofggd.exe
2144	Mebkge32.exe
4656	Mhpgca32.exe
2788	Mllccpfj.exe
4992	Mojopk32.exe
2548	Mcfkpjng.exe
4144	Medglemj.exe
3068	Nhbciqln.exe
3600	Nlnpio32.exe
1328	Nomlek32.exe
2972	Nakhaf32.exe
2764	Ndidna32.exe
3288	Nkcmjlio.exe
4032	Ncjdki32.exe
4092	Nfiagd32.exe
3644	Nhgmcp32.exe
2400	Nkeipk32.exe
3032	Noaeqjpe.exe
2352	Napameoi.exe
512	Ndnnianm.exe
4408	Nlefjnno.exe
4272	Nkhfek32.exe
5140	Nconfh32.exe
5180	Nfnjbdep.exe
5224	Nhlfoodc.exe
5264	Nkjckkcg.exe
5304	Ncaklhdi.exe
5352	Nfpghccm.exe
5384	Ohncdobq.exe
5420	Okmpqjad.exe
5460	Ocdgahag.exe
5496	Ofbdncaj.exe
5536	Ohqpjo32.exe
5580	Ollljmhg.exe
5612	Ocfdgg32.exe
5652	Ofdqcc32.exe
5692	Odgqopeb.exe
5728	Oloipmfd.exe
5772	Oomelheh.exe
5804	Obkahddl.exe
5840	Odjmdocp.exe
5880	Okceaikl.exe
5916	Ofijnbkb.exe
5968	Omcbkl32.exe
6000	Oflfdbip.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mcabej32.exe	Mkjjdmaj.exe
File created	C:\Windows\SysWOW64\Kqcgfpia.dll	Medglemj.exe
File opened for modification	C:\Windows\SysWOW64\Mllccpfj.exe	Mhpgca32.exe
File created	C:\Windows\SysWOW64\Gnggfhnm.dll	Nhgmcp32.exe
File opened for modification	C:\Windows\SysWOW64\Oomelheh.exe	Oloipmfd.exe
File created	C:\Windows\SysWOW64\Hmmppdij.dll	Aflpkpjm.exe
File created	C:\Windows\SysWOW64\Mqkbjk32.dll	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Qejfkmem.exe	Qfgfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Nomlek32.exe	Nlnpio32.exe
File created	C:\Windows\SysWOW64\Aiaeig32.dll	Ohqpjo32.exe
File created	C:\Windows\SysWOW64\Inkqjp32.dll	Oomelheh.exe
File opened for modification	C:\Windows\SysWOW64\Podkmgop.exe	Oflfdbip.exe
File opened for modification	C:\Windows\SysWOW64\Pcijce32.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Kpdejagg.dll	Ndidna32.exe
File created	C:\Windows\SysWOW64\Ncjdki32.exe	Nkcmjlio.exe
File created	C:\Windows\SysWOW64\Kjmole32.dll	Pfppoa32.exe
File created	C:\Windows\SysWOW64\Jkiigchm.dll	Piolkm32.exe
File created	C:\Windows\SysWOW64\Bebggf32.dll	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Ohqpjo32.exe	Ofbdncaj.exe
File created	C:\Windows\SysWOW64\Ofaqkhem.dll	Akihcfid.exe
File opened for modification	C:\Windows\SysWOW64\Lehhqg32.exe	Lcjldk32.exe
File created	C:\Windows\SysWOW64\Memalfcb.exe	Mcoepkdo.exe
File created	C:\Windows\SysWOW64\Hkglgq32.dll	Mcfkpjng.exe
File opened for modification	C:\Windows\SysWOW64\Noaeqjpe.exe	Nkeipk32.exe
File opened for modification	C:\Windows\SysWOW64\Odjmdocp.exe	Obkahddl.exe
File opened for modification	C:\Windows\SysWOW64\Pilpfm32.exe	Pfncia32.exe
File created	C:\Windows\SysWOW64\Qelcamcj.exe	Qbngeadf.exe
File opened for modification	C:\Windows\SysWOW64\Mcoepkdo.exe	Mociol32.exe
File created	C:\Windows\SysWOW64\Mcabej32.exe	Mkjjdmaj.exe
File created	C:\Windows\SysWOW64\Acicqigg.dll	Nakhaf32.exe
File opened for modification	C:\Windows\SysWOW64\Ndnnianm.exe	Napameoi.exe
File created	C:\Windows\SysWOW64\Nconfh32.exe	Nkhfek32.exe
File opened for modification	C:\Windows\SysWOW64\Mclhjkfa.exe	Mkepineo.exe
File created	C:\Windows\SysWOW64\Mepnaf32.exe	Madbagif.exe
File created	C:\Windows\SysWOW64\Mebkge32.exe	Mafofggd.exe
File created	C:\Windows\SysWOW64\Pbbgicnd.exe	Podkmgop.exe
File created	C:\Windows\SysWOW64\Kefjdppe.dll	Mohbjkgp.exe
File created	C:\Windows\SysWOW64\Jmgdeb32.dll	767cea2c78aaf1e4ffe2a74473e1de30N.exe
File created	C:\Windows\SysWOW64\Gpdkpe32.dll	Lehhqg32.exe
File opened for modification	C:\Windows\SysWOW64\Mhnjna32.exe	Mepnaf32.exe
File created	C:\Windows\SysWOW64\Mlemcq32.exe	Mhiabbdi.exe
File created	C:\Windows\SysWOW64\Nfiagd32.exe	Ncjdki32.exe
File created	C:\Windows\SysWOW64\Nkjckkcg.exe	Nhlfoodc.exe
File created	C:\Windows\SysWOW64\Hlkjom32.dll	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Ipdkapdh.dll	Mhiabbdi.exe
File created	C:\Windows\SysWOW64\Mllccpfj.exe	Mhpgca32.exe
File opened for modification	C:\Windows\SysWOW64\Nfnjbdep.exe	Nconfh32.exe
File created	C:\Windows\SysWOW64\Mejcig32.dll	Nfnjbdep.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Afnlpohj.exe
File opened for modification	C:\Windows\SysWOW64\Qejfkmem.exe	Qfgfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Abpcja32.exe	Qpbgnecp.exe
File created	C:\Windows\SysWOW64\Mhnjna32.exe	Mepnaf32.exe
File created	C:\Windows\SysWOW64\Ohncdobq.exe	Nfpghccm.exe
File created	C:\Windows\SysWOW64\Oloipmfd.exe	Odgqopeb.exe
File opened for modification	C:\Windows\SysWOW64\Piaiqlak.exe	Pbgqdb32.exe
File created	C:\Windows\SysWOW64\Qfgfpp32.exe	Pcijce32.exe
File created	C:\Windows\SysWOW64\Qmanljfo.exe	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Oenflo32.dll	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Bqpqlhmf.dll	Oflfdbip.exe
File opened for modification	C:\Windows\SysWOW64\Afnlpohj.exe	Acppddig.exe
File opened for modification	C:\Windows\SysWOW64\Mepnaf32.exe	Madbagif.exe
File created	C:\Windows\SysWOW64\Mlifnphl.exe	Mhnjna32.exe
File created	C:\Windows\SysWOW64\Jbjabqbh.dll	Mebkge32.exe
File created	C:\Windows\SysWOW64\Abohmm32.dll	Nconfh32.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkepineo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndidna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhlfoodc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfncia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnpio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkcmjlio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkjjdmaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbbgicnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piceflpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhiabbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllccpfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madbagif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noaeqjpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qelcamcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlgjhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcabej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nconfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhnjna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okmpqjad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mepnaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqhecd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefjnno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgqopeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podkmgop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdgahag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfppoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfeijqqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjckkcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mclhjkfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkhfek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjmdocp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okceaikl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjdki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfnjbdep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfpghccm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofbdncaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nakhaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnnianm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nomlek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkhfec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomelheh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfgfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbgqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piaiqlak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	767cea2c78aaf1e4ffe2a74473e1de30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lehhqg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mociol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhgmcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkeipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofijnbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoemhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mafofggd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akihcfid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mekdffee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ollljmhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkklbh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mebkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqgoo32.dll"	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mafofggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjonchmn.dll"	Nkcmjlio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncjdki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcdqhecd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhnjna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mllccpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijbed32.dll"	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdkpe32.dll"	Lehhqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkjjdmaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkcmjlio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piolkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhiabbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nomlek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipiddlhk.dll"	Nomlek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkhfek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjckkcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaqkhem.dll"	Akihcfid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiaeig32.dll"	Ohqpjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Podkmgop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Medglemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joboincl.dll"	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdgahag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohqpjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokjbgbf.dll"	Ncjdki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohncdobq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohqpjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mekdffee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfncia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nconfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqkbjk32.dll"	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcjldk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlemcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Memalfcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Madbagif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfiagd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfncia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlgjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nomlek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebggf32.dll"	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcokoo32.dll"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpldj32.dll"	Ofdqcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcabej32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 784	4752	767cea2c78aaf1e4ffe2a74473e1de30N.exe	91
PID 4752 wrote to memory of 784	4752	767cea2c78aaf1e4ffe2a74473e1de30N.exe	91
PID 4752 wrote to memory of 784	4752	767cea2c78aaf1e4ffe2a74473e1de30N.exe	91
PID 784 wrote to memory of 3024	784	Lcjldk32.exe	92
PID 784 wrote to memory of 3024	784	Lcjldk32.exe	92
PID 784 wrote to memory of 3024	784	Lcjldk32.exe	92
PID 3024 wrote to memory of 3252	3024	Lehhqg32.exe	93
PID 3024 wrote to memory of 3252	3024	Lehhqg32.exe	93
PID 3024 wrote to memory of 3252	3024	Lehhqg32.exe	93
PID 3252 wrote to memory of 4284	3252	Mkepineo.exe	94
PID 3252 wrote to memory of 4284	3252	Mkepineo.exe	94
PID 3252 wrote to memory of 4284	3252	Mkepineo.exe	94
PID 4284 wrote to memory of 64	4284	Mclhjkfa.exe	95
PID 4284 wrote to memory of 64	4284	Mclhjkfa.exe	95
PID 4284 wrote to memory of 64	4284	Mclhjkfa.exe	95
PID 64 wrote to memory of 4352	64	Mekdffee.exe	96
PID 64 wrote to memory of 4352	64	Mekdffee.exe	96
PID 64 wrote to memory of 4352	64	Mekdffee.exe	96
PID 4352 wrote to memory of 2664	4352	Mhiabbdi.exe	97
PID 4352 wrote to memory of 2664	4352	Mhiabbdi.exe	97
PID 4352 wrote to memory of 2664	4352	Mhiabbdi.exe	97
PID 2664 wrote to memory of 4028	2664	Mlemcq32.exe	98
PID 2664 wrote to memory of 4028	2664	Mlemcq32.exe	98
PID 2664 wrote to memory of 4028	2664	Mlemcq32.exe	98
PID 4028 wrote to memory of 2472	4028	Mociol32.exe	99
PID 4028 wrote to memory of 2472	4028	Mociol32.exe	99
PID 4028 wrote to memory of 2472	4028	Mociol32.exe	99
PID 2472 wrote to memory of 2704	2472	Mcoepkdo.exe	100
PID 2472 wrote to memory of 2704	2472	Mcoepkdo.exe	100
PID 2472 wrote to memory of 2704	2472	Mcoepkdo.exe	100
PID 2704 wrote to memory of 4744	2704	Memalfcb.exe	101
PID 2704 wrote to memory of 4744	2704	Memalfcb.exe	101
PID 2704 wrote to memory of 4744	2704	Memalfcb.exe	101
PID 4744 wrote to memory of 4432	4744	Mdpagc32.exe	102
PID 4744 wrote to memory of 4432	4744	Mdpagc32.exe	102
PID 4744 wrote to memory of 4432	4744	Mdpagc32.exe	102
PID 4432 wrote to memory of 5064	4432	Mlgjhp32.exe	103
PID 4432 wrote to memory of 5064	4432	Mlgjhp32.exe	103
PID 4432 wrote to memory of 5064	4432	Mlgjhp32.exe	103
PID 5064 wrote to memory of 4812	5064	Mkjjdmaj.exe	104
PID 5064 wrote to memory of 4812	5064	Mkjjdmaj.exe	104
PID 5064 wrote to memory of 4812	5064	Mkjjdmaj.exe	104
PID 4812 wrote to memory of 3656	4812	Mcabej32.exe	105
PID 4812 wrote to memory of 3656	4812	Mcabej32.exe	105
PID 4812 wrote to memory of 3656	4812	Mcabej32.exe	105
PID 3656 wrote to memory of 3536	3656	Madbagif.exe	106
PID 3656 wrote to memory of 3536	3656	Madbagif.exe	106
PID 3656 wrote to memory of 3536	3656	Madbagif.exe	106
PID 3536 wrote to memory of 916	3536	Mepnaf32.exe	107
PID 3536 wrote to memory of 916	3536	Mepnaf32.exe	107
PID 3536 wrote to memory of 916	3536	Mepnaf32.exe	107
PID 916 wrote to memory of 4528	916	Mhnjna32.exe	108
PID 916 wrote to memory of 4528	916	Mhnjna32.exe	108
PID 916 wrote to memory of 4528	916	Mhnjna32.exe	108
PID 4528 wrote to memory of 5116	4528	Mlifnphl.exe	109
PID 4528 wrote to memory of 5116	4528	Mlifnphl.exe	109
PID 4528 wrote to memory of 5116	4528	Mlifnphl.exe	109
PID 5116 wrote to memory of 4636	5116	Mohbjkgp.exe	110
PID 5116 wrote to memory of 4636	5116	Mohbjkgp.exe	110
PID 5116 wrote to memory of 4636	5116	Mohbjkgp.exe	110
PID 4636 wrote to memory of 2144	4636	Mafofggd.exe	111
PID 4636 wrote to memory of 2144	4636	Mafofggd.exe	111
PID 4636 wrote to memory of 2144	4636	Mafofggd.exe	111
PID 2144 wrote to memory of 4656	2144	Mebkge32.exe	112

C:\Users\Admin\AppData\Local\Temp\767cea2c78aaf1e4ffe2a74473e1de30N.exe
"C:\Users\Admin\AppData\Local\Temp\767cea2c78aaf1e4ffe2a74473e1de30N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\SysWOW64\Lcjldk32.exe
  C:\Windows\system32\Lcjldk32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Windows\SysWOW64\Lehhqg32.exe
    C:\Windows\system32\Lehhqg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\Mkepineo.exe
      C:\Windows\system32\Mkepineo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3252
    - - C:\Windows\SysWOW64\Mclhjkfa.exe
        
        C:\Windows\system32\Mclhjkfa.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4284
      - C:\Windows\SysWOW64\Mekdffee.exe
        
        C:\Windows\system32\Mekdffee.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Mhiabbdi.exe
        
        C:\Windows\system32\Mhiabbdi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Mlemcq32.exe
        
        C:\Windows\system32\Mlemcq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Memalfcb.exe
        
        C:\Windows\system32\Memalfcb.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Mlgjhp32.exe
        
        C:\Windows\system32\Mlgjhp32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Mepnaf32.exe
        
        C:\Windows\system32\Mepnaf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Mohbjkgp.exe
        
        C:\Windows\system32\Mohbjkgp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Mllccpfj.exe
        
        C:\Windows\system32\Mllccpfj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        25⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\Nlefjnno.exe
        
        C:\Windows\system32\Nlefjnno.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Ocdgahag.exe
        
        C:\Windows\system32\Ocdgahag.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1476
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:184
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        74⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:312
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        90⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        98⤵
        
        PID:5220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8
1⤵
PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lcjldk32.exe

Filesize
237KB

MD5
ffdb4ca3d824085ac15526a3c3a1a10c

SHA1
9641e02bd5af52d97c9a66fb028b9ad2ce5e086c

SHA256
bc5ace98a8a8f23c68135e6d5165b6114d90aa26e8a93036c02b4be802bf2d6f

SHA512
77389afd09a98b93ea3dc4becaa2ca9752cc25b91331a990978321799de1318b0a669d3f0c5b7d25694f230fb0a0e093adf861484915886e526b9760624b68b2

Download Submit
C:\Windows\SysWOW64\Lehhqg32.exe

Filesize
237KB

MD5
5586447680a178cdebb3edff8ea1ac48

SHA1
18fd037c03466091f5c7f042da08d89808057d94

SHA256
9b196dab7c4003333fddf29ddd9972b1b5920188aa2823fc808a389caf53fe93

SHA512
3d3c01c91411b0cc7ac38317d74995fc0c97a1ceac8c6584e988047ec2075c4aafd95854e21cb37e6524d20a685afe4c7ca6e2dae1f1274b94e6ea3157d80f6f

Download Submit
C:\Windows\SysWOW64\Madbagif.exe

Filesize
237KB

MD5
8cb9981ad1c2ff678b7d2f29deecb872

SHA1
a538c113037418fb01126ca13375ed6d187adaae

SHA256
0a4557c4675aaa84579b2098b1a6647797119c5d3e974e93b3ad7add6a4d0beb

SHA512
5978185c0bf388e00ec67e0686d530d5dca2365f00bb51990c02fdb49e704217168a17ed2a95bc0d97cb2ff07ac0176a82543be2653c047b0c3d00e26dd446da

Download Submit
C:\Windows\SysWOW64\Mafofggd.exe

Filesize
237KB

MD5
177d7bb506ac903f28a4056f72fb1cf8

SHA1
99023028504ae670ee58aa15ac02df40af22f25e

SHA256
9fe23ec7b00f462ca791873532c0e05415925c9294ccb7bfdd1897c2656ee8c9

SHA512
33065b0e5f721d26b4a642deab150b198d52ac558e1c58d3c1b6ad9ef871a94e2e70f188bb5bb135d5eddf1b2fc5daa04118681b9aa4deb643e71ca4fa48479a

Download Submit
C:\Windows\SysWOW64\Mcabej32.exe

Filesize
237KB

MD5
44f5008a55dd3b2a15e8650dded84c2a

SHA1
dbd938a836547664156e8c41b84e58c5b9bfc7fa

SHA256
aa9d3645b2bab7804367e0ebe5f8bf1c802c94b9fbbb4559b788deccd1688b27

SHA512
5ca364e8f1c56ff8e48207801ff945e9ce864d01b408ee4094fd4dbe3a2981e9e0f1ce99c55800b107f57c9be9530011c7b86a033ba3f9c265bf5c205414c408

Download Submit
C:\Windows\SysWOW64\Mcfkpjng.exe

Filesize
237KB

MD5
7055a430cdc9602343967c6831443fd1

SHA1
5cc8734deca6724195d8da50a3e52cc48a8f4a93

SHA256
d4038c4d510ff05bcc4bb979928311975c2db3fc3f46abf005f3240fbcaab531

SHA512
75b2855e864ebd40b527f1c4c9e3f01b64257942b0d1fa6b829c5318c5f97bc7d09780a32674e4a637ca491fe6a4c3dc5c39e33509d5fb8ce7f5fa6c3ddbf995

Download Submit
C:\Windows\SysWOW64\Mclhjkfa.exe

Filesize
237KB

MD5
3ee41c81dc9c97732512b5a78303aa1d

SHA1
b51f56f10d15a346fa75ed6e0d3c0f2b5b6877e3

SHA256
137dd4caa4e428dbd3df31f706034bd23df9d10f8aa238eceddf2acc3493edc1

SHA512
be27347808c1a7d21e51d87afcdd56e46d636ce0a630cd968d08562872e81af2aa1f7ee54e479f2b2dba64570bdbf6f8a878b9802b290c70bf6f68d3376f799d

Download Submit
C:\Windows\SysWOW64\Mcoepkdo.exe

Filesize
237KB

MD5
271f7b6819fa40d091b3e6752788dd25

SHA1
7d362dd303f07fe2f10d1375e0f6f282544b64dc

SHA256
00871dd95985dadc6f5fe311d68bc1f6acb48b9b36502c3758857b961426da1f

SHA512
ce6163bc47d77cfbeab173617c1a25686f5445d1427cdc335143d9001f3935f9f373038bb4310e6e9509b4c496e6b4c340b149e235b01c1ed1b423fa667571ce

Download Submit
C:\Windows\SysWOW64\Mdpagc32.exe

Filesize
237KB

MD5
2259a175cf77a262b7fbfbe0cfc51f7b

SHA1
febb2a4c4747cedd992508cef17388e393652613

SHA256
0838a7bcfd143f05d0cecbe70dba508cc527d6b020dd13f6745507b2c1d6491a

SHA512
e9df42aeaab4e2e2e5050fb4858f49f30e72db26e5f70fb1fc861b2d366bac3fa13fd83d99e0b24f793043aa464afbb09554b0908ccd1dfdf793276725f36344

Download Submit
C:\Windows\SysWOW64\Mebkge32.exe

Filesize
237KB

MD5
534f1037180f1050890e8d1310168974

SHA1
6ab06698fd05f48a90e5f6ce9807a43b70b1d605

SHA256
5d942244e3c08dbab553d562f99389624251d677bc4c38ce930d959b9f0a7db7

SHA512
b78d7dfb8fce8f8551edf5e5a60d54eebdc73fe4c3fd2ed1459f98d3684fd0728001551786a1da56eb9c1cb581213d7e722a139daa527bcf73681cd67377e5b6

Download Submit
C:\Windows\SysWOW64\Medglemj.exe

Filesize
237KB

MD5
0d141db8b87ed773fef6f46233eaec83

SHA1
372461c086721343feaa2df9a74e546019561b8f

SHA256
799008bd5cd0ca9f98b191530ce6cbc186c1ce7c36284a02abdf677309f83c0d

SHA512
e63a6cd232d0b1e16112e967a734cffc20aa3f969faf0ed3a978793368377e2a0f61ea45205e12a2e9d5f3e597400e73dbf86c1aa6504fe9ae9c45f6869bccb2

Download Submit
C:\Windows\SysWOW64\Mekdffee.exe

Filesize
237KB

MD5
b6bbc8b5f381d5083e4a64350903255e

SHA1
cd4409dbb0075a85e25552a2aa55abe84bb2c881

SHA256
b2bd9a98cd239776d5c7673543c2257fb5d957fb94bd2d337feeeb22fb6bf679

SHA512
1b3ecce605acff1730471c22284a1e80b6c4cbcb37159fe8cce86dd258dd62a4dad0e2ed29edca64963d379d846f3020d44be6b088058fa3323671f0407eea58

Download Submit
C:\Windows\SysWOW64\Memalfcb.exe

Filesize
237KB

MD5
72fa9725eb0e4076ac86c8854193d3a5

SHA1
358408adc85563c57aca9a9a8db22ac89a874679

SHA256
d1e9487a1d02b62accd5c65f310b90d380189d4a5f97ec4aafbae426d92fb594

SHA512
159187265198367e69e31731fcf4828506d346cd18a35aa6682b14cdd78fb58233e54e9740a16eb982a175a455609abb7a6f9044522029007d88af8c00616916

Download Submit
C:\Windows\SysWOW64\Mepnaf32.exe

Filesize
237KB

MD5
a40fb316bed2af87ed68502d42357345

SHA1
b00243fb08aee9c37fe1edc130f9f4d6ae80aed5

SHA256
3f3215ea7abea27e74cbc5c84bb127dde326bea9dfe5803c260fc655b822eaf8

SHA512
579d65e1b3c4c209041472abd3299c33706a2607420943fe5ee17afcef7a6efee560295f6c331b4034e3ff3624f823bd41e0de8020a5d42e343a90f162cdda35

Download Submit
C:\Windows\SysWOW64\Mhiabbdi.exe

Filesize
237KB

MD5
9c5bbfbe9a4bdabf4d384e8105d313b3

SHA1
fa2f07f57451cc4c90825a1719bb91bc93fc1a4a

SHA256
8fda7766e5ef11e27b13bbbd50d405cceabab469a5693ba4eaecae9b75033969

SHA512
2f0586928f51f56aa9a520e55dc849af2a5b3d405e8495a442b2ea82713e020ba9941db05b58cda0295a22a216d6912cd72d05a0c377b6d1894460726088aa94

Download Submit
C:\Windows\SysWOW64\Mhnjna32.exe

Filesize
237KB

MD5
85c7ddeb2d9e19bb0b99b74882057cf3

SHA1
99817b926ca82e3af01debee92dd092087098fab

SHA256
8ef82fff9f2970f9e626cac6cf7eec731a85214a62f4491aac4bed9cfeb0363a

SHA512
901503aa683b4e4819b18aa547284c3ac5b2e93cbb9fedf954abbfe7e964ff58bbd86c1c758bff7052613043956db607f6410d7a7a9f1af986af5dee610558ed

Download Submit
C:\Windows\SysWOW64\Mhpgca32.exe

Filesize
237KB

MD5
c192c0c5c03f8ca4bc8c940b27d911b7

SHA1
73175ea7efa44df4e1d53259305bdb4c8c197816

SHA256
53602920907ff53805f39fdd6c2795875172c55a55673e72fb506b5d44207fa8

SHA512
fe9851ac332274f91fb16a343b4db61e778561909ca294a554ef69de74b570eb57793663c1a55eafad94f0600951eab3e9732d76ef706d87b19d72cfe31fc2a5

Download Submit
C:\Windows\SysWOW64\Mkepineo.exe

Filesize
237KB

MD5
6630bdfaa709cc0ac12d2138edbbc814

SHA1
833a73a276ae3bc3443794f3edeedff744e4f50a

SHA256
31fbf52af9ab9a926e33f21a54fc4bc6ea98efde894f4da838e0df3d9b1ca570

SHA512
b12aaaa067aca28410cc70f397a28671b11d2a74b2d9af81047ea6cb8506fb8966af2b3b883b3a14379faf89e6d4b0031db7cffd17c15d696b2abbde0c89b707

Download Submit
C:\Windows\SysWOW64\Mkjjdmaj.exe

Filesize
237KB

MD5
afde8b030dd6acdfb3d53d57840c8a66

SHA1
365e8f1c2b0da4ae4ecf40641902a6f53203af0f

SHA256
134bff48748c2509ef31c1e4722405382e04ac14ad4a575025f912538b996ebc

SHA512
b98b672ab041906b615e134eeb396dc77665ada4c85424110d319f0fdca224ee1daa399274c92e191d3b18959e37b379f4b6405bc8914500549caf865c959902

Download Submit
C:\Windows\SysWOW64\Mlemcq32.exe

Filesize
237KB

MD5
896bd997ffcf5f21ff675215a9adfaac

SHA1
8e18518f4c14f69b90a0c158853c67eab9610c40

SHA256
5b2f4b7264c150da088615fd772cb58384fce4b4ac53a6312dd4255dcb8f5a06

SHA512
b0f7f8a29450b218cbc97285c4ac8ba51b40b9bc0dab5c1920032df9db96222926b582473167afacac9338a94da257ada8448fc8c0279a351335cf5b3d707b7d

Download Submit
C:\Windows\SysWOW64\Mlgjhp32.exe

Filesize
237KB

MD5
3dd5872a087d03ac47bd533da66984e9

SHA1
45d179040cf20eb1974c2b2980f06c0facd9bf87

SHA256
a06ee2e83b4c420abc1f29527f4381b5a24242ddef6960ad33517d97b15eb45b

SHA512
8d5aac6f267af4b898f26d73ab20d9f4b4217ba1baa0d4f174a7af7e173991f53ce0dd01719e12aa8b8fcd7e5ee157e540904b6eb356fc63c72e6bf1b93579ac

Download Submit
C:\Windows\SysWOW64\Mlifnphl.exe

Filesize
237KB

MD5
4503e2e57e0b7deda6a8fbc9f8982280

SHA1
ab62e9588d65a486385833455cbbc3376f9c267a

SHA256
2f6ce067c33f09cce527b1db38460a3c0a312832aab60b526f0d34a947742058

SHA512
f46402342b4a4c3084bead43b4eb2a3c60360c0735d54961dd51cb4a53a1610f782b27b744507b45c3fe1603fc4fcf7d86c06df06667b84e6b0a6bbaad39f4d7

Download Submit
C:\Windows\SysWOW64\Mllccpfj.exe

Filesize
237KB

MD5
47652e29e4defacce934869d40320472

SHA1
6e58b7d7e74c9db9c6d02680a1b60463445a14c9

SHA256
16643d3312c691c5029461d72f2b6c974ac8947c0497929e9183c29bea7014cb

SHA512
c537f809e72eeb12e9607df24860c192ed204546dbe05ad148e7d5c02b1d99a568b6e126f3f736f6fe70f07e2c195bea3320e2ef3280b183a38066c2f9772c2b

Download Submit
C:\Windows\SysWOW64\Mociol32.exe

Filesize
237KB

MD5
06849c3c46c5350ee7119e6cae535f9b

SHA1
f4e7ef34e5aae94fd1067df1196904c3c4389ffd

SHA256
6b0821f41e3e16008d21eb7bd0fe63b2e024802b1d7759664a9b796e4a30b4f4

SHA512
258677389471e722bf37c8f723df4d9f98ff5823dc649c396f39c589ccc3b3da89b2e4eb3da3a3697e448ebea52b2325c56070b4318692b3a13338d7757f5202

Download Submit
C:\Windows\SysWOW64\Mohbjkgp.exe

Filesize
237KB

MD5
7fd96a86f37348c29aa028444a53dd30

SHA1
f16e14ba92e97b0f17a31d85505e6ef50138e7c9

SHA256
5ac8456be2e736b18e62f3dce90896e925fff8950ec89eb1b83c703d31f05e3f

SHA512
cbfbec56c8f4158f2a574d4111bc92d26c04d21d4d52053e7c01b2d379ca02a5a006ac6449b9b56ae80a1969c08e3b3d09416a8ac655af2a0d6dde214e2eb892

Download Submit
C:\Windows\SysWOW64\Mojopk32.exe

Filesize
237KB

MD5
741368944e4430ef0877d1c88b04e5cf

SHA1
2203d70ef018906aff407e5b33d9b6fb1eac3b1b

SHA256
d5139cfdee848fc09be759d9f358eb365b6ec5098cd9c07679ee683e97295568

SHA512
635bb749b47d6eca06bf8743ec1adac0f08a1d112aa96b4946f0ade6dfc33e9acbf3abc7f972763feee6203f8f9e6cb75418969f1d81cec1403bcb03124b355b

Download Submit
C:\Windows\SysWOW64\Nakhaf32.exe

Filesize
237KB

MD5
c85904d56fa72e96889c4eb361556da1

SHA1
641e2d4ce71f0e5fb91982a72b8e77a1c0448f42

SHA256
5aa175197bf27b4511a949f3d1ba85a0f5f53c4638ec6227067c81982a97dd01

SHA512
2742389ed90f0b97e568b0e4907297e96ac145da9a5cf6e65edcdc19c3558431bd5ff907f0a432eff14f2474fc0dc54da63dd63569393afcbbe5be2401f65b40

Download Submit
C:\Windows\SysWOW64\Ndidna32.exe

Filesize
237KB

MD5
bb566a4b839b180c5e9bc8a0594188d6

SHA1
367eee433a73835468b31e57372d8120483e85de

SHA256
30715927e0b5c544f1dfdc8e57dfc991d3702fa84d8677c6e6398ab29f79aa5b

SHA512
026c138ea3b3fdbcadf76e77a5facb022c112c96d4027278d8f52415eb9adb2d822fcbfde36e1dd93e3f93b301516cc55c072bfc071a9fc16307439750a03b78

Download Submit
C:\Windows\SysWOW64\Nhbciqln.exe

Filesize
237KB

MD5
42e04eeee14d72a6111ce5c51ad35e82

SHA1
f9121380e9a2b5036e3e26d21d38ae4205141459

SHA256
2815f8fb38356d0f0f740414449b6d4abd01760fdde5a9d00499681bc19d260b

SHA512
105d4bf152b252cee35066d1944ae2a95cb4dbf4a105702a62e28e4fa6e6934ea94294005d8d4678ca142fa21094e777a68b627dd09add1eb058ae80994f974e

Download Submit
C:\Windows\SysWOW64\Nkcmjlio.exe

Filesize
237KB

MD5
9bbd437b2099c0068eeea68386010a6b

SHA1
cdf3331c6ae7ac7dcb7b1df8f580658a08cf8488

SHA256
436793107da75e13de5a1cc7f9ee88141c6724030b8bb058a4dcf993424345d9

SHA512
ec628f02667188ac06bf90544de3ea9cdb27c028ceb0432e90662d56a4a44a5767cc33803c047629601e516a75e9ecf79410e6b4af15abcf7f8ae727cd87b030

Download Submit
C:\Windows\SysWOW64\Nlnpio32.exe

Filesize
237KB

MD5
eb83507bd320a2c2446f2d2b3e8e746b

SHA1
1f2464ccc3ea92a5f5a5c4e7a872ac9abb2d9b67

SHA256
05d409cbd8515325636986f287467cad8c9a0ab7e557019d7671e45189386a82

SHA512
c6601b066a3b7484d2521c9ecca7e61a432b0794b905f856c589bff39970e46c51cf42cda1f026b4bb03e1af67547986a03858c35e406d1a9e347577fdf27a98

Download Submit
C:\Windows\SysWOW64\Nomlek32.exe

Filesize
237KB

MD5
eebeac5663cde61c533ed168c099a5bb

SHA1
9dc9ba8aeb4a4231594bd594af6bce372aad510b

SHA256
983d54fede5f6244e404f089aee923e0738e4d5999b68bb8c74c7169f2f0ac94

SHA512
f92b1c6cbed4e212e754ed63ffbfe0ec6f356425d053a0b12625647adbfad3cece6f8d1f941b33feb0f26c61a0efcc7176dcc332bfae23441493ff7320255f6f

Download Submit
memory/64-44-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/64-560-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/512-299-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/784-8-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/784-535-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/916-139-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1328-671-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1448-1064-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1476-465-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2120-492-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2144-631-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2144-171-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2352-293-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2400-281-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2472-76-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2472-583-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2548-667-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2548-203-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2664-60-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2704-84-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2704-589-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2764-673-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2764-250-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2788-187-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2788-633-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2972-672-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2972-242-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3024-542-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3024-16-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3032-287-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3068-219-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3068-669-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3252-28-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3252-548-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3288-258-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3300-476-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3536-625-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3536-131-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3600-670-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3600-227-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3644-275-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3644-708-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3656-619-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4028-577-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4028-68-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4032-264-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4032-674-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4092-680-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4144-211-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4144-668-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4272-311-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4284-36-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4284-554-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4352-52-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4352-566-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4388-1038-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4408-305-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4432-100-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4432-601-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4528-147-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4528-628-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4636-630-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4636-163-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4656-179-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4656-632-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4744-92-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4744-595-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4752-529-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4752-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4812-613-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4812-116-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4992-637-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4992-195-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5064-108-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5064-607-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5116-155-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5116-629-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5140-317-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5180-323-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5220-627-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5224-329-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5256-1046-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5264-335-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5304-341-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5320-1048-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5376-518-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5376-1050-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5384-352-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5460-363-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5496-369-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5524-536-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5580-380-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5612-386-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5692-397-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5804-413-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5880-425-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5880-932-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5916-998-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5916-1000-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5916-429-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5968-436-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/6000-442-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/6040-448-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/6120-459-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads