08b9f8bb9e1c7964494064d4f85e1e851e26427ce4a6036d8061d598ce7b5262

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14761e6f37337d70fd20e4bd4fbcc1f0N.exe
Size

96KB
MD5

14761e6f37337d70fd20e4bd4fbcc1f0
SHA1

8a2923bd4088132ffe7553cdcc06655a1e02e5eb
SHA256

08b9f8bb9e1c7964494064d4f85e1e851e26427ce4a6036d8061d598ce7b5262
SHA512

c130772d43e4d2a102058283b1ae20bcb23e519969aaf1cd1b927f9398a0126482102bd39342292264be45d3bb4021534d5eca288a447681d731b80460ddf742
SSDEEP

1536:/hK+EV9sUqsE0u7hJiFFEa5s2LusBMu/HCmiDcg3MZRP3cEW3AE:/GVm9sE0khI2a5lua6miEo

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	14761e6f37337d70fd20e4bd4fbcc1f0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oakbehfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplobcpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njfkmphe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nflkbanj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phonha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boldhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceefd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onapdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmdnadc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfkpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqpcjj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjdpelnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjdpelnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqpcjj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nncccnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pffgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coqncejg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cponen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfiplog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmipdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkgeainn.exe

Executes dropped EXE 64 IoCs

pid	Process
4940	Njfkmphe.exe
1688	Nqpcjj32.exe
3440	Nflkbanj.exe
4200	Nncccnol.exe
628	Nqbpojnp.exe
3444	Nglhld32.exe
968	Nmipdk32.exe
1856	Ngndaccj.exe
4880	Njmqnobn.exe
3060	Nceefd32.exe
3328	Ojomcopk.exe
3664	Omnjojpo.exe
3500	Offnhpfo.exe
1296	Oakbehfe.exe
1568	Ojdgnn32.exe
1416	Oanokhdb.exe
1516	Ofkgcobj.exe
1060	Onapdl32.exe
3584	Oaplqh32.exe
1844	Ofmdio32.exe
4660	Oabhfg32.exe
556	Ohlqcagj.exe
4556	Pnfiplog.exe
1076	Pmiikh32.exe
2496	Ppgegd32.exe
3052	Phonha32.exe
2032	Pmlfqh32.exe
2024	Pdenmbkk.exe
2292	Pnkbkk32.exe
2956	Pplobcpp.exe
3216	Pffgom32.exe
4484	Pnmopk32.exe
2828	Pdjgha32.exe
2324	Pjdpelnc.exe
5020	Panhbfep.exe
1560	Pdmdnadc.exe
1216	Qfkqjmdg.exe
2996	Qmeigg32.exe
4468	Qpcecb32.exe
1124	Qhjmdp32.exe
396	Qjiipk32.exe
2672	Qacameaj.exe
4148	Ahmjjoig.exe
2368	Akkffkhk.exe
4700	Aaenbd32.exe
2732	Adcjop32.exe
4092	Afbgkl32.exe
4444	Amlogfel.exe
456	Aagkhd32.exe
1616	Agdcpkll.exe
640	Amnlme32.exe
3580	Adhdjpjf.exe
1040	Akblfj32.exe
540	Apodoq32.exe
760	Ahfmpnql.exe
3004	Aopemh32.exe
5060	Apaadpng.exe
2060	Bkgeainn.exe
4932	Baannc32.exe
3668	Bhkfkmmg.exe
4492	Boenhgdd.exe
1504	Bpfkpp32.exe
1436	Bdagpnbk.exe
3284	Bogkmgba.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bgelgi32.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Jgddkelm.dll	Bdfpkm32.exe
File opened for modification	C:\Windows\SysWOW64\Njfkmphe.exe	14761e6f37337d70fd20e4bd4fbcc1f0N.exe
File created	C:\Windows\SysWOW64\Njmqnobn.exe	Ngndaccj.exe
File opened for modification	C:\Windows\SysWOW64\Ofmdio32.exe	Oaplqh32.exe
File created	C:\Windows\SysWOW64\Eopjfnlo.dll	Pmiikh32.exe
File created	C:\Windows\SysWOW64\Pjehnm32.dll	Pplobcpp.exe
File opened for modification	C:\Windows\SysWOW64\Amlogfel.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Hbobifpp.dll	Cgifbhid.exe
File created	C:\Windows\SysWOW64\Jlobem32.dll	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Okhbek32.dll	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Baiinofi.dll	Ngndaccj.exe
File created	C:\Windows\SysWOW64\Ogakfe32.dll	Pffgom32.exe
File created	C:\Windows\SysWOW64\Qjiipk32.exe	Qhjmdp32.exe
File opened for modification	C:\Windows\SysWOW64\Akkffkhk.exe	Ahmjjoig.exe
File opened for modification	C:\Windows\SysWOW64\Amnlme32.exe	Agdcpkll.exe
File opened for modification	C:\Windows\SysWOW64\Baannc32.exe	Bkgeainn.exe
File created	C:\Windows\SysWOW64\Cdbpgl32.exe	Coegoe32.exe
File opened for modification	C:\Windows\SysWOW64\Dgcihgaj.exe	Dpiplm32.exe
File opened for modification	C:\Windows\SysWOW64\Panhbfep.exe	Pjdpelnc.exe
File created	C:\Windows\SysWOW64\Qhjmdp32.exe	Qpcecb32.exe
File created	C:\Windows\SysWOW64\Aopemh32.exe	Ahfmpnql.exe
File created	C:\Windows\SysWOW64\Hcjnlmph.dll	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Kpibgp32.dll	Ojdgnn32.exe
File opened for modification	C:\Windows\SysWOW64\Bgelgi32.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Hikemehi.dll	Cggimh32.exe
File created	C:\Windows\SysWOW64\Pjdpelnc.exe	Pdjgha32.exe
File created	C:\Windows\SysWOW64\Pnkbkk32.exe	Pdenmbkk.exe
File opened for modification	C:\Windows\SysWOW64\Bogkmgba.exe	Bdagpnbk.exe
File created	C:\Windows\SysWOW64\Baegibae.exe	Bogkmgba.exe
File opened for modification	C:\Windows\SysWOW64\Cgqlcg32.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Jhijep32.dll	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Nmipdk32.exe	Nglhld32.exe
File opened for modification	C:\Windows\SysWOW64\Aopemh32.exe	Ahfmpnql.exe
File opened for modification	C:\Windows\SysWOW64\Cggimh32.exe	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Dojqjdbl.exe	Dgcihgaj.exe
File opened for modification	C:\Windows\SysWOW64\Omnjojpo.exe	Ojomcopk.exe
File created	C:\Windows\SysWOW64\Qgaeof32.dll	Afbgkl32.exe
File opened for modification	C:\Windows\SysWOW64\Bkgeainn.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Eekgliip.dll	Coegoe32.exe
File opened for modification	C:\Windows\SysWOW64\Ngndaccj.exe	Nmipdk32.exe
File created	C:\Windows\SysWOW64\Cnffoibg.dll	Ofmdio32.exe
File created	C:\Windows\SysWOW64\Akkffkhk.exe	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Amlogfel.exe	Afbgkl32.exe
File opened for modification	C:\Windows\SysWOW64\Akblfj32.exe	Adhdjpjf.exe
File opened for modification	C:\Windows\SysWOW64\Bdfpkm32.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Oanokhdb.exe	Ojdgnn32.exe
File created	C:\Windows\SysWOW64\Coqncejg.exe	Cgifbhid.exe
File created	C:\Windows\SysWOW64\Nflkbanj.exe	Nqpcjj32.exe
File opened for modification	C:\Windows\SysWOW64\Qmeigg32.exe	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Ahfmpnql.exe	Apodoq32.exe
File opened for modification	C:\Windows\SysWOW64\Coqncejg.exe	Cgifbhid.exe
File created	C:\Windows\SysWOW64\Dpiplm32.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Ojomcopk.exe	Nceefd32.exe
File created	C:\Windows\SysWOW64\Boenhgdd.exe	Bhkfkmmg.exe
File created	C:\Windows\SysWOW64\Dmncdk32.dll	Baegibae.exe
File opened for modification	C:\Windows\SysWOW64\Bajqda32.exe	Boldhf32.exe
File created	C:\Windows\SysWOW64\Pbhafkok.dll	Nqbpojnp.exe
File created	C:\Windows\SysWOW64\Adfnba32.dll	Nmipdk32.exe
File created	C:\Windows\SysWOW64\Kibohd32.dll	Ofkgcobj.exe
File created	C:\Windows\SysWOW64\Ahmjjoig.exe	Qacameaj.exe
File opened for modification	C:\Windows\SysWOW64\Cdbpgl32.exe	Coegoe32.exe
File created	C:\Windows\SysWOW64\Nqpcjj32.exe	Njfkmphe.exe
File created	C:\Windows\SysWOW64\Offnhpfo.exe	Omnjojpo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5412	5276	WerFault.exe	186

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coegoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phonha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnlme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apaadpng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baegibae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdimqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nceefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplobcpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pffgom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfkqjmdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahmjjoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Offnhpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panhbfep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhjmdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkgeainn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boenhgdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdkifmjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmipdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onapdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohlqcagj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlfqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdcpkll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpiplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiblk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqbpojnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmiikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boihcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conanfli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfiplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbgkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adhdjpjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqlcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omnjojpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaenbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdagpnbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boldhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojqjdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahmfpap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nflkbanj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngndaccj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjiipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qacameaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojomcopk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofkgcobj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahfmpnql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njmqnobn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnmopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjdpelnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmdnadc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpcecb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaplqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofmdio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmeigg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgibkpc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	14761e6f37337d70fd20e4bd4fbcc1f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eihcbonm.dll"	Pnfiplog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjdpelnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgqin32.dll"	Njfkmphe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njfkmphe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbkofn32.dll"	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coegoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmlfqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nncccnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjllm32.dll"	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmdnadc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll"	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmamhbhe.dll"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnffoibg.dll"	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	14761e6f37337d70fd20e4bd4fbcc1f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjnlmph.dll"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqpcjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopjfnlo.dll"	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpkdp32.dll"	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnbjama.dll"	Pnmopk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcokoohi.dll"	Nqpcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	14761e6f37337d70fd20e4bd4fbcc1f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobhb32.dll"	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coqncejg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dojqjdbl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 4940	5032	14761e6f37337d70fd20e4bd4fbcc1f0N.exe	90
PID 5032 wrote to memory of 4940	5032	14761e6f37337d70fd20e4bd4fbcc1f0N.exe	90
PID 5032 wrote to memory of 4940	5032	14761e6f37337d70fd20e4bd4fbcc1f0N.exe	90
PID 4940 wrote to memory of 1688	4940	Njfkmphe.exe	91
PID 4940 wrote to memory of 1688	4940	Njfkmphe.exe	91
PID 4940 wrote to memory of 1688	4940	Njfkmphe.exe	91
PID 1688 wrote to memory of 3440	1688	Nqpcjj32.exe	92
PID 1688 wrote to memory of 3440	1688	Nqpcjj32.exe	92
PID 1688 wrote to memory of 3440	1688	Nqpcjj32.exe	92
PID 3440 wrote to memory of 4200	3440	Nflkbanj.exe	93
PID 3440 wrote to memory of 4200	3440	Nflkbanj.exe	93
PID 3440 wrote to memory of 4200	3440	Nflkbanj.exe	93
PID 4200 wrote to memory of 628	4200	Nncccnol.exe	94
PID 4200 wrote to memory of 628	4200	Nncccnol.exe	94
PID 4200 wrote to memory of 628	4200	Nncccnol.exe	94
PID 628 wrote to memory of 3444	628	Nqbpojnp.exe	95
PID 628 wrote to memory of 3444	628	Nqbpojnp.exe	95
PID 628 wrote to memory of 3444	628	Nqbpojnp.exe	95
PID 3444 wrote to memory of 968	3444	Nglhld32.exe	97
PID 3444 wrote to memory of 968	3444	Nglhld32.exe	97
PID 3444 wrote to memory of 968	3444	Nglhld32.exe	97
PID 968 wrote to memory of 1856	968	Nmipdk32.exe	98
PID 968 wrote to memory of 1856	968	Nmipdk32.exe	98
PID 968 wrote to memory of 1856	968	Nmipdk32.exe	98
PID 1856 wrote to memory of 4880	1856	Ngndaccj.exe	99
PID 1856 wrote to memory of 4880	1856	Ngndaccj.exe	99
PID 1856 wrote to memory of 4880	1856	Ngndaccj.exe	99
PID 4880 wrote to memory of 3060	4880	Njmqnobn.exe	100
PID 4880 wrote to memory of 3060	4880	Njmqnobn.exe	100
PID 4880 wrote to memory of 3060	4880	Njmqnobn.exe	100
PID 3060 wrote to memory of 3328	3060	Nceefd32.exe	102
PID 3060 wrote to memory of 3328	3060	Nceefd32.exe	102
PID 3060 wrote to memory of 3328	3060	Nceefd32.exe	102
PID 3328 wrote to memory of 3664	3328	Ojomcopk.exe	103
PID 3328 wrote to memory of 3664	3328	Ojomcopk.exe	103
PID 3328 wrote to memory of 3664	3328	Ojomcopk.exe	103
PID 3664 wrote to memory of 3500	3664	Omnjojpo.exe	104
PID 3664 wrote to memory of 3500	3664	Omnjojpo.exe	104
PID 3664 wrote to memory of 3500	3664	Omnjojpo.exe	104
PID 3500 wrote to memory of 1296	3500	Offnhpfo.exe	105
PID 3500 wrote to memory of 1296	3500	Offnhpfo.exe	105
PID 3500 wrote to memory of 1296	3500	Offnhpfo.exe	105
PID 1296 wrote to memory of 1568	1296	Oakbehfe.exe	106
PID 1296 wrote to memory of 1568	1296	Oakbehfe.exe	106
PID 1296 wrote to memory of 1568	1296	Oakbehfe.exe	106
PID 1568 wrote to memory of 1416	1568	Ojdgnn32.exe	107
PID 1568 wrote to memory of 1416	1568	Ojdgnn32.exe	107
PID 1568 wrote to memory of 1416	1568	Ojdgnn32.exe	107
PID 1416 wrote to memory of 1516	1416	Oanokhdb.exe	108
PID 1416 wrote to memory of 1516	1416	Oanokhdb.exe	108
PID 1416 wrote to memory of 1516	1416	Oanokhdb.exe	108
PID 1516 wrote to memory of 1060	1516	Ofkgcobj.exe	110
PID 1516 wrote to memory of 1060	1516	Ofkgcobj.exe	110
PID 1516 wrote to memory of 1060	1516	Ofkgcobj.exe	110
PID 1060 wrote to memory of 3584	1060	Onapdl32.exe	111
PID 1060 wrote to memory of 3584	1060	Onapdl32.exe	111
PID 1060 wrote to memory of 3584	1060	Onapdl32.exe	111
PID 3584 wrote to memory of 1844	3584	Oaplqh32.exe	112
PID 3584 wrote to memory of 1844	3584	Oaplqh32.exe	112
PID 3584 wrote to memory of 1844	3584	Oaplqh32.exe	112
PID 1844 wrote to memory of 4660	1844	Ofmdio32.exe	113
PID 1844 wrote to memory of 4660	1844	Ofmdio32.exe	113
PID 1844 wrote to memory of 4660	1844	Ofmdio32.exe	113
PID 4660 wrote to memory of 556	4660	Oabhfg32.exe	114

C:\Users\Admin\AppData\Local\Temp\14761e6f37337d70fd20e4bd4fbcc1f0N.exe
"C:\Users\Admin\AppData\Local\Temp\14761e6f37337d70fd20e4bd4fbcc1f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\SysWOW64\Njfkmphe.exe
  C:\Windows\system32\Njfkmphe.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\Nqpcjj32.exe
    C:\Windows\system32\Nqpcjj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\SysWOW64\Nflkbanj.exe
      C:\Windows\system32\Nflkbanj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3440
    - - C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4200
      - C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        26⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        45⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        47⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:456
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        54⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3284
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5376
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        82⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        92⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 400
        94⤵
        Program crash
        
        PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5276 -ip 5276
1⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:8
1⤵
PID:5668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aopemh32.exe

Filesize
96KB

MD5
31db6c1dde907aaf8ef2df203513748a

SHA1
594371e12f235ed2ce9250d714a9899e602575a5

SHA256
6ad9d117aa4d914a7278908be6e556ddb16a1afc6b89f23e765fb0f7899cd5dc

SHA512
f8945f65116812c624fef8bacd896f6f159189c2b5cbbb695267800fe932ffae86dd94e146915c39acc95e6b921039c115f5e705087023c3b1ee0d0ff4d2f80e

Download Submit
C:\Windows\SysWOW64\Bdfpkm32.exe

Filesize
96KB

MD5
7976edfadcd0cfe8a0b3db2d6ee1475e

SHA1
a8165d510b5671b6bf244ae3a1eeb1f052539615

SHA256
9372ecf7e47447d840bb31e0daa7a42480d1ce09c67882b1185fa13599cf0ebd

SHA512
6708f99a819f925495302f6b03e2836412dfa6a076078202f055b096105c8f05df468308a6d479dee2e184b894e5961f12e777757322257a3791580917e70ef9

Download Submit
C:\Windows\SysWOW64\Bhpofl32.exe

Filesize
96KB

MD5
9c6c8088e1cc8125ff566c3b1e2b60f8

SHA1
3723575261108dfaed5e3d27c36afa9c15c3a217

SHA256
389809d2ddbd79f74d7fdf97a32654fe1067aa73ef697488cd7f792ea8ea5f9c

SHA512
dde8daa2bf6fc1d5af775aba6e097768c9a3a0f961cb26e09a2dfcbb396a5e67114740a147eb1916f529d65e1429598a1be60dcc12f3764c90ee7f7ee5e9d1d1

Download Submit
C:\Windows\SysWOW64\Boenhgdd.exe

Filesize
96KB

MD5
a1fe5955fe067805d21f7b0f2fea0718

SHA1
83a0742043a5c141ba7fb7bd317e246e72504fbd

SHA256
b1ea4865ed366f77b628b06ac257942107a1c413ad16c2fe96de0e06fd336b89

SHA512
8c56e6c2dbce4bab130b9e9efc1499e2f6fe3b391a643cc9dd532c6c7b73873e1d2062f1a683aedc1cee73e055311217f368deccfde774162d9b7221518c3787

Download Submit
C:\Windows\SysWOW64\Dgcihgaj.exe

Filesize
96KB

MD5
7b21681d28b32eb7acf473747fd3cb59

SHA1
da1ecd61fc1bd5acadad98e6895203da11ed826d

SHA256
4e7ec76a66d992d498d7d89d0e88646017250d8d93e4d952f304d547478aecee

SHA512
73651d0732e98a996a4a55b7cec1f39dd0625a5e8e85ac4801d9ddbcf507c670f4c1696cd6b83b29cbbf47ddc0a0cde2b438a0f20471dac52ce6526ca415fe58

Download Submit
C:\Windows\SysWOW64\Nceefd32.exe

Filesize
96KB

MD5
6c8238d7ab02c04f790a4d85717746f6

SHA1
b39dd202eb984edbc0fa66e3455d14c45f016fd8

SHA256
21b72d3268d4ac57e597bd0a4729263fc72eb6457c3be966f69591346bacedc2

SHA512
3acd2485a8d3cc72c610a3e09d0803421332c1e2b1766e49a0130c70d35867882bdc676e321332233129ac4108a9f86852a43af88719bfeee8065b87038d3fee

Download Submit
C:\Windows\SysWOW64\Nflkbanj.exe

Filesize
96KB

MD5
0146114f603c079f88e064db15a8eb10

SHA1
41025ab5a929644c4bfd27abc7f1c09c7a02abf9

SHA256
3094b995b5f49d1c9a632d5bdca12aa4530d20ae6f376395d1499ef48384a4da

SHA512
0d698931e6a32db8fdbfa48e29e5fb97fa498b5c192e7809331195546576630701858993ac313827311aa23a31db81689d3fe477395509d5657b93020511f177

Download Submit
C:\Windows\SysWOW64\Nglhld32.exe

Filesize
96KB

MD5
def772bc698bfb53a4f53970b02ec4bb

SHA1
cfb4114958b1531f122bf45ec42d4722797f092b

SHA256
5d609760c20084c5034564fd7f2dfcdc03debdc92f9b8953b6a87c77ab1b3a4f

SHA512
4756a7690e00365e72e8dc7959499a12532565617bfe28557fbbcfb3e7ef7c88335a9aa3cbf3e07ef4858751f76b0e02975214a19747278ff123c5a7b2f9f157

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
96KB

MD5
82e0f5b3c5336b0647d0f7953a7b6091

SHA1
a7d1dd16c150b1371db82be2e5e38d5619115a35

SHA256
429a8ed340580913d47de722eaec5115bacba597a48c91dcc51d4d6ebd6a58c8

SHA512
f6b6db59defd6921c745e2abc4fee0df25b125e2bf412b215a3346c9cc15c68104efe9d739d2947d539bc54c62fdbabfc92c35cfa5ff04ea6e321760ae75f9b0

Download Submit
C:\Windows\SysWOW64\Njfkmphe.exe

Filesize
96KB

MD5
ad0fa3b62b960785fcc226f2346f904e

SHA1
630d6d98305f0f32313b96ff2e565cf24ce56387

SHA256
376e73433726790aff5a8c6d1c07490778fae2fe2da66e425aeb5cf9f369b80b

SHA512
78ba88b71a346504cdc21b9fbd12b2ecc028da365e298260f377b5a32e2758d8f5107868db2b4248cf003343bb63fdd87915086ef05f3b89a12560a9dfe51e8b

Download Submit
C:\Windows\SysWOW64\Njmqnobn.exe

Filesize
96KB

MD5
4cda2c795b74e89703c5464bc2f77c33

SHA1
497ca1113f272f94f121c644bd40301975d164b0

SHA256
159cbb33c7915dcdc960fb9b2e907a19625409fa2afb7a74499b54cd772bb521

SHA512
47ddfed60a3d22dd64d542eb8d301c3942131a4ff09e1b75c18018403537900984f98fa7cc3ecafcbd77ae95b6c984b5d1825cf6985bcefc168ebdf44d6e325d

Download Submit
C:\Windows\SysWOW64\Nmipdk32.exe

Filesize
96KB

MD5
3b8084eb5423b16253e61dcb0dc2fcc6

SHA1
19fb5cf710e3cdd0aa30c7131b0bd19e0e8ce376

SHA256
b5902ecd262b74ba72ccec8a3ebd9bc45ff7f74d50c625c82552e0f5d7ed2e44

SHA512
28553b76c55551782a440c689fd2494fc6490cf508e4f4de7418a6c6d24e73c10806449238e7875d4dbfea140ee14cf8ad3f42853c40fa5c8e7eb4cf92dfdf30

Download Submit
C:\Windows\SysWOW64\Nncccnol.exe

Filesize
96KB

MD5
e83d4c8a8f803d3b27f89de3b167120f

SHA1
a231d448b9e89dde54df58d00c153b45c1cc90c8

SHA256
fb32dd87f560e52fdc80e664ac57fb77e435e4ceb6c0b0d35ad1849862257684

SHA512
267e88c0e513b8a5d3ae8e8a402096cdff6cc4f2961f755b3977eff70094131c8da87a231c1603f4633a9ec377c29c65112f17b35810705ca482d9182b25643a

Download Submit
C:\Windows\SysWOW64\Nqbpojnp.exe

Filesize
96KB

MD5
4a08524e23c24c73ad4b049b32c36c63

SHA1
37fb2863aad011dc31654b3456d34d3ffd0e52ef

SHA256
0bce1de54b342dc071c5a7787ce028f0a783ef066dcf59213ae2ed0d939d1419

SHA512
652993775077875cb0711eb5531536366cca6dec23d1559af88b795a3861f2c607b6e893cdf3c02346e98651fb7fe6a18444b4b6a7da60da67a9fcfd8834adf6

Download Submit
C:\Windows\SysWOW64\Nqpcjj32.exe

Filesize
96KB

MD5
5766f723889bcebd80f7153d7f79a2a3

SHA1
3e1552c0b437fa74bfe8685d65fb91f7374333fa

SHA256
ff21f2933d6166e3e1a81219738a9ee8c22916c3851b9fd0d87e05478c16a92e

SHA512
95db2be83d63ff2de390512e3bc2712a5ea0552ecafe0c497d1b7a7f1e2818a77c2e30d903c38b1d875a16601d93539a396501fa10446894c6bfeaf1f26dd13c

Download Submit
C:\Windows\SysWOW64\Oabhfg32.exe

Filesize
96KB

MD5
26541bc11b2dc8945a5759431f184178

SHA1
24319075b160e58083781b7e0e8a7f0f59015083

SHA256
b9938c63b4abd0bb314dc34ce7e5c0827b51750ae75982aedd01aa608e2e2e84

SHA512
0c25af3c394f3fa61468d5f4ef35553fd69d0c5e6276c3f6e669969255d90d3c026c2e7133efda834fccd2821522f7dfb4c19dcc0ab89a7df27ebb5ff2618227

Download Submit
C:\Windows\SysWOW64\Oakbehfe.exe

Filesize
96KB

MD5
57c6796fe3decb88e603e4404fb9db33

SHA1
5673c8dafaea6e3ff0d548d58c99a839284742da

SHA256
6af82e7b71dd74efc1fa36c58d6e05a52886f05ed81d99696c8dfc3ec2fdbb55

SHA512
8b8705ff777c5a598707898bd33f37259f1bf74b99b20811a6769b33950bbf0f7212bbf0ab5f72b81d022d9052ff940b62c8ac024affb0e0c8477ecb8e92747e

Download Submit
C:\Windows\SysWOW64\Oanokhdb.exe

Filesize
96KB

MD5
5167bcf5670404d433c07b54bb3f4b32

SHA1
610928d3b2ad09fa90a78fcc83c1dfcfb732d1e2

SHA256
6c89816392a5dc75eb4611665a6e062e47c3f726007cb05507d1a37a16301839

SHA512
8f9cd34e557b482b28b421e257bc3104c86752173589332ef6ff8d37e63021a1012de5174f0aea420f861009a33da669feb45e07bcd9150e67fac0939ef89c6b

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
96KB

MD5
065a508ded5d1c48bd514b8a96180ae7

SHA1
806907e4c8dacdbf5a10d8dac81e4f1430bfdf25

SHA256
9cbdeef6227b46e74e2a2e4db550ceeae587c3914b26e1c497edce1cef1e0290

SHA512
6993f759db044be0db645162685013eb5cb3874e83aa845b6692eff8b09eca4cfa89781ba9d07a15d43d1576bcb72b9bfa5cb72580a5f811f2d9ac614c397d89

Download Submit
C:\Windows\SysWOW64\Offnhpfo.exe

Filesize
96KB

MD5
682c63fe2b1228998c8ddacde487bdf9

SHA1
e2238488331d862ca93189e4ea1e4f2d8bc5b0b5

SHA256
89c635556a7ebb256bfa0f5689871c0c3c11e85281a74cf29ced459f1a4fc2ee

SHA512
7d7f703089c340b21c058398e4ea6158be81587a532c266e2e232a2157884ce66bbd1a467b631ce79766577252dfb7ae3b0ddec9cd8a034875dec19898c3fa9c

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
96KB

MD5
b6c0d1722b1c3bd2278d64677ed1ae7d

SHA1
a220b3c68edd29da866c20217d461a84434a0adc

SHA256
a9f5bb99f7445149290609f4570e891d4d7c31a08528724358706706e251ceb0

SHA512
9b5a3cac399dc9c16b9b4b3ca76c10b6b282a0e6d3ebf9de31da53879179678d3190fc467840de2a8d93d0d50009ce839702cca7f8b43cd23265af7e27daa96d

Download Submit
C:\Windows\SysWOW64\Ofmdio32.exe

Filesize
96KB

MD5
027cda6b44ea886f24ba0e34d3640a44

SHA1
ea41d9e191566aa2adbde650c61e7c877df9ecea

SHA256
0b1418dff4a4afdbf33e5442fd36423dc5a02c61a52942ddcc0ec050e9a24ed5

SHA512
2031420ee045cef08c3164330560bfd21ef3dd606d4092e115152ac1a3fb730bd6767b25a4cce2288bf359220b5b118e1fadceb3bc4ca7415fa1f4d15f2e7d2b

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
96KB

MD5
239d8bf96f56530322514145efb41246

SHA1
a0ce2bc052a563ad7073d1c7b31bbab2a6207022

SHA256
edb1aa97c65bf7134f0591facf494dd7e63e43c8dac4c6d197c7781bdba25ab0

SHA512
85de6faf1b288a00ff25b7c8c2fcea8270813d2a314dd9bc170a0f8075c7a3d2476473da1c0980cdb22dedae2ac8806172dccf2010426c2069c89de3a9725816

Download Submit
C:\Windows\SysWOW64\Ojdgnn32.exe

Filesize
96KB

MD5
9c2ccd0ff8b20a10fe30374ccb3434a0

SHA1
d773fed7e6fddd5b69cf97f1ade7ac91e524a409

SHA256
ae00fa3a08bb5b5d06868f3d8888be2a0474e10360982eb85b4d06c967f845ea

SHA512
f2963de1a73ab3a6c702da734859f07912ccafa74f076a5919214a8a9b19b54cacd5836e390eb17e8832125fa396ccd760718e4177dbed4735c0f1b25bf3ee17

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
96KB

MD5
726155ac1245ebb5b29e3c2d0a697429

SHA1
fe1cf1080f77b42cd883ce547f529df5a6320609

SHA256
4bd9d4d3c330bcb21bb6c692da792e380bb7dbfdbfea6990d7010696b10fd9bd

SHA512
a632404b642424f5180f610a2caee918466baf7ab3e7965a59f79e6a0b8f9c197fd265b3ba74f31b07fb729cb7d9f5c3fc64b61ec68474373cee0a23a815fb6a

Download Submit
C:\Windows\SysWOW64\Omnjojpo.exe

Filesize
96KB

MD5
477a56f55c2420f0b72ab5c4d923bc9d

SHA1
257b3b43c108867f7dc74b1702892138d96d7513

SHA256
b3038ccb458eb452906c7e11cc63adc119462ddf36e0b4431e2ba4ca8b95a096

SHA512
c7cc7d96e52e9d479ae6ceaa65907b4bcde02ac7fd6c026ed1326d2b912d4a5f45c46751791636930223ff1df8e4bb9428e191195360a49db227114a9550da2a

Download Submit
C:\Windows\SysWOW64\Onapdl32.exe

Filesize
96KB

MD5
2d3ab766ff822bb0535d6c4f1ef59ea6

SHA1
3327dcea2b9c8f459bc1cc3256feaaa2044fe2df

SHA256
be11d5e6ed889ce65871c8a14fdbe7e1cfa2a3e3b19356495e21ad8eb784c177

SHA512
bc8818f8634ffd70b7dfa5e501c9206c82a2a3bdd54bd39914cb65560bd1fc4729499c8a1948d449ca9b5a5ad761f1a0f820835db8ef1b4ec8bdd2aa4b492f10

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
96KB

MD5
398f48be688484812b2ee50677c94de1

SHA1
f6f0ec01166ff93aa96c9e2c830819d699866531

SHA256
ffd85002afce0ce86deb3082af3fa903103eb78e912f05da2cc56f5a29d48387

SHA512
0108c2647906eedcbc965eaefe2887665eb4d5aa256c4acc2418f54a62b8ee20ffd3239f39a6c14bc3376c29f70614692ebb77b2a7a4061c02b180669d42f01e

Download Submit
C:\Windows\SysWOW64\Pffgom32.exe

Filesize
96KB

MD5
3581b5d9cbc460e380ef0819241f47ee

SHA1
c3c6e664a80dbec36df717c7fd198fa9a3f30dba

SHA256
638f24037fb6bde451e284185b685d61f41ac9b6554b67b9ac916a302c0b0373

SHA512
2bf3d15214bf2f2209d48649a52d481183040d1239f4bd1483a95b963b9d25f182a0068d3f06d4e57740c831a980d4eed88af5a886518a9509416280a480e28e

Download Submit
C:\Windows\SysWOW64\Phonha32.exe

Filesize
96KB

MD5
be814fac67c1b8037c083716d4be3228

SHA1
770def5fd8536372eb4d0a984581c9e5c99ded48

SHA256
b7bdeb84db1f1466fd14c3f413731f7ce30f5d1733ff53d6d7e9d8ddb6af398c

SHA512
fc55a9bf40dd73dab2d2d4564b870b8aa40e6dc4dbeb78dd660d00a86613bc4a0b8e4895a3132db64c8112561aebbb10bf4535601b7db0851a3da529a3633d81

Download Submit
C:\Windows\SysWOW64\Pmiikh32.exe

Filesize
96KB

MD5
3906a81eeb083ea0db156ae52268bf50

SHA1
bc3c0657daf8dbab259c376c6883e122e8bafa72

SHA256
67a0f619c84400c0c4021e2544284adb112817d5e1afda1e920488f6fefa53f4

SHA512
9b700e79741ed0ec5873a0e03c1b232e39a19ccbf9f9f33b2fa6a5f56f07d02cab83def9c2e307c8cd6e19d9df3b92ce7e76de668b6555ac27a05db3344120ff

Download Submit
C:\Windows\SysWOW64\Pmlfqh32.exe

Filesize
96KB

MD5
bae673a52261c1ad36146754e6c853d8

SHA1
e777cf79ade2250a74f87aef881114f3b910d22a

SHA256
e6d4916eead94f24814ae9e9fd1063832937805b8bc6a8b7b0397eb94421ac23

SHA512
ad94eb125fcce3206d4ee864f303d8c32399a4e826b55ab3673134cfede78e6dc07cbb6a6930f53a7e40b56667fb81744436e7ca19b1a756435eeabf9cfa0a29

Download Submit
C:\Windows\SysWOW64\Pnfiplog.exe

Filesize
96KB

MD5
e8846dc332b11c6ad6125e36d5128a6d

SHA1
2e00e6d5aed052cdf37f15f4774e5c67387fdc2d

SHA256
cb2084ec898f5296e5b9b94a626664cc4af7e81541a5cf87d0f0d6cfd095b452

SHA512
46d6f529cefdf95e6cdda92590e9102c76739daa03737463d030153bbdf674bb04922a4f2388c4e147fc59382e19c08b432763f79298f5c2e3d277297f3559fc

Download Submit
C:\Windows\SysWOW64\Pnkbkk32.exe

Filesize
96KB

MD5
a81d6e84a23ce0a4bca9362b82aabf0b

SHA1
6c564d0ac9e95c8dec204cdb955268d9a032dc16

SHA256
6cac9e8abcbebfd9542d5677b1732e808f6cce5380c118547a888f1ff60db1c0

SHA512
cb3f4bd9997425d0ee7567b86279619eba1a9c013fe701bfaa6a4dd25529392a595ea18d1e75a0595fafe9c028b310bca95ced6a3da6e3da2129d226394b2654

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
96KB

MD5
47d64d99c60f718908a4ebb108b6a10c

SHA1
51f665a457013c0f846ce2f7184c64fcea7740ff

SHA256
357afb1804b7f968c1882786c8ad48008712f91acdd4774af86b04f27c09c039

SHA512
527851628750a84d91b9f7784bdd421ec3730be9d6df53f69f5fc1eea0266475d80989776d4caa274da4852510eb9459852be09ea5678c59b10aa2fad0c73d82

Download Submit
C:\Windows\SysWOW64\Ppgegd32.exe

Filesize
96KB

MD5
203c1d966f8ae1ed4dcfa6879ddd6ae1

SHA1
3a3571cf326bf6f2073923070f0708d5c7a75666

SHA256
51c30eb586d367b2c6144f440da96ebfdb408ee34e723b3bdd98374373cbafa1

SHA512
1f1c013f284931f9a89935e1d55319a37cb063bcaede78e5edda76da9b7e9f2669ed765313bb85c9b2cf2cfa644a28d57a4efae6283a0245116dab894af8a359

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
96KB

MD5
dbbe46ed13970499d5f3511eb6604dc0

SHA1
16c701565b2e87e1000a1ffcd7f0a5359ab5ecb5

SHA256
4a120364d79c780090e05928399d8eec111efa2b293864e4830a18e40c384cc8

SHA512
43ca5d42c12070b1a42dcd10cfaf9d31ad5ea65e0fba3a3b8a936e29d9cbfbcb07907db51ed2a08affb216d740d7d423c5c37ff79c11cb16df08273ebf22b855

Download Submit
memory/396-729-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-710-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1296-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-738-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-749-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5060-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5172-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5216-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5256-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5296-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5336-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5376-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5416-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5460-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5500-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5532-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5580-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5620-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5668-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5708-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5756-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5808-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5872-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5932-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5976-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads