1b9a06e8161cd3e33a72c0d0e8348dea7bbd1fc46fc739481db8615f2100e1a9

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 19:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1b9a06e8161cd3e33a72c0d0e8348dea7bbd1fc46fc739481db8615f2100e1a9.exe
Size

74KB
MD5

5d1dc0609ac9b04de84a23c02812a72e
SHA1

5935be90996ba5f1ab823fefc43fa4f6d0143ee1
SHA256

1b9a06e8161cd3e33a72c0d0e8348dea7bbd1fc46fc739481db8615f2100e1a9
SHA512

b6f0ae16c067dade009adf8a8650c584a5755bdc2f97689082fda95daeadd39e3ee0bd02f969dc58dd88382dc523d29069d214f004d021b5c435c6cf09220555
SSDEEP

1536:0DYS+GGmsvxLklLNl1S8QbNKLNpPN82PkIueXIk1Hu:0DB+GVsJLklLNl1kgNpPNRPkIuJktu

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bblcfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oohkai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciknefmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncmaai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omaeem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhfknjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ammnhilb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bppcpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bipnihgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcppq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfonnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmagch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpgjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odedipge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apimodmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlefjnno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgdgijhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	1b9a06e8161cd3e33a72c0d0e8348dea7bbd1fc46fc739481db8615f2100e1a9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oohkai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpcdfll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cekhihig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpifeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfoegm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clpgkcdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbnbemf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmfqngcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbngeadf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dipgpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dlqpaafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlefjnno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohncdobq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bblcfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbhbbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfknmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohhfknjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecialmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmmgof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cboibm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmfqngcg.exe

Executes dropped EXE 64 IoCs

pid	Process
5076	Ldkhlcnb.exe
784	Mclhjkfa.exe
3024	Mhiabbdi.exe
3952	Nlnpio32.exe
4372	Nomlek32.exe
3580	Nheqnpjk.exe
3976	Ncjdki32.exe
1716	Nhgmcp32.exe
2704	Ncmaai32.exe
5108	Nfknmd32.exe
2120	Nlefjnno.exe
1548	Nbbnbemf.exe
4840	Nlgbon32.exe
2792	Nofoki32.exe
2772	Ohncdobq.exe
1588	Oohkai32.exe
4788	Odedipge.exe
3116	Ookhfigk.exe
4704	Ocfdgg32.exe
4664	Odgqopeb.exe
3980	Okailj32.exe
2736	Odjmdocp.exe
4464	Omaeem32.exe
1504	Obnnnc32.exe
4332	Ohhfknjf.exe
1928	Obpkcc32.exe
1184	Pijcpmhc.exe
2788	Pcpgmf32.exe
3300	Pmhkflnj.exe
5064	Pcbdcf32.exe
4728	Pfppoa32.exe
2420	Piolkm32.exe
3192	Pbgqdb32.exe
4636	Piaiqlak.exe
4608	Pkoemhao.exe
4708	Pfeijqqe.exe
2264	Piceflpi.exe
2520	Pkabbgol.exe
4232	Pbljoafi.exe
3460	Qejfkmem.exe
3804	Qmanljfo.exe
4796	Qbngeadf.exe
2208	Qelcamcj.exe
2436	Qmckbjdl.exe
3756	Abpcja32.exe
3040	Aijlgkjq.exe
4828	Apddce32.exe
3720	Abcppq32.exe
4348	Aimhmkgn.exe
540	Alkeifga.exe
872	Abemep32.exe
4048	Aecialmb.exe
1788	Apimodmh.exe
3704	Aeffgkkp.exe
3736	Ammnhilb.exe
1448	Abjfqpji.exe
4292	Amoknh32.exe
1332	Bblcfo32.exe
680	Bmagch32.exe
5052	Bppcpc32.exe
4460	Bemlhj32.exe
4900	Bpbpecen.exe
1532	Bflham32.exe
5132	Bmfqngcg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cieonn32.dll	Pmhkflnj.exe
File created	C:\Windows\SysWOW64\Nfknmd32.exe	Ncmaai32.exe
File created	C:\Windows\SysWOW64\Bipnihgi.exe	Bfabmmhe.exe
File created	C:\Windows\SysWOW64\Lgilmo32.dll	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Dihmeahp.dll	Dfonnk32.exe
File created	C:\Windows\SysWOW64\Dcmlbk32.dll	Ldkhlcnb.exe
File created	C:\Windows\SysWOW64\Pkoemhao.exe	Piaiqlak.exe
File opened for modification	C:\Windows\SysWOW64\Bpgjpb32.exe	Bimach32.exe
File created	C:\Windows\SysWOW64\Eldafjjc.dll	Cmmgof32.exe
File created	C:\Windows\SysWOW64\Iqhqndlf.dll	Clpgkcdj.exe
File opened for modification	C:\Windows\SysWOW64\Ookhfigk.exe	Odedipge.exe
File created	C:\Windows\SysWOW64\Odpldj32.dll	Ocfdgg32.exe
File created	C:\Windows\SysWOW64\Ohhfknjf.exe	Obnnnc32.exe
File opened for modification	C:\Windows\SysWOW64\Abemep32.exe	Alkeifga.exe
File opened for modification	C:\Windows\SysWOW64\Nhgmcp32.exe	Ncjdki32.exe
File created	C:\Windows\SysWOW64\Oenflo32.dll	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Bmfqngcg.exe	Bflham32.exe
File created	C:\Windows\SysWOW64\Djbehfpe.dll	Cdjlap32.exe
File opened for modification	C:\Windows\SysWOW64\Bmagch32.exe	Bblcfo32.exe
File created	C:\Windows\SysWOW64\Jgedpmpf.dll	Ncmaai32.exe
File created	C:\Windows\SysWOW64\Ookhfigk.exe	Odedipge.exe
File created	C:\Windows\SysWOW64\Pbgnqacq.dll	Omaeem32.exe
File opened for modification	C:\Windows\SysWOW64\Aeffgkkp.exe	Apimodmh.exe
File opened for modification	C:\Windows\SysWOW64\Odgqopeb.exe	Ocfdgg32.exe
File created	C:\Windows\SysWOW64\Fqkiecpd.dll	Aecialmb.exe
File created	C:\Windows\SysWOW64\Hiagoigj.dll	Cmpcdfll.exe
File created	C:\Windows\SysWOW64\Hodcma32.dll	Dinjjf32.exe
File created	C:\Windows\SysWOW64\Pqoppk32.dll	Obnnnc32.exe
File created	C:\Windows\SysWOW64\Dmabgl32.dll	Bfoegm32.exe
File created	C:\Windows\SysWOW64\Cmpcdfll.exe	Cehlcikj.exe
File created	C:\Windows\SysWOW64\Iojghflb.dll	Cbaehl32.exe
File created	C:\Windows\SysWOW64\Jjfaml32.dll	Mclhjkfa.exe
File opened for modification	C:\Windows\SysWOW64\Abpcja32.exe	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Cqbolk32.dll	Bppcpc32.exe
File opened for modification	C:\Windows\SysWOW64\Bpbpecen.exe	Bemlhj32.exe
File opened for modification	C:\Windows\SysWOW64\Cehlcikj.exe	Cbjogmlf.exe
File opened for modification	C:\Windows\SysWOW64\Dinjjf32.exe	Dfonnk32.exe
File opened for modification	C:\Windows\SysWOW64\Omaeem32.exe	Odjmdocp.exe
File opened for modification	C:\Windows\SysWOW64\Pfppoa32.exe	Pcbdcf32.exe
File created	C:\Windows\SysWOW64\Qbngeadf.exe	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Bppcpc32.exe	Bmagch32.exe
File created	C:\Windows\SysWOW64\Pijcpmhc.exe	Obpkcc32.exe
File created	C:\Windows\SysWOW64\Pkabbgol.exe	Piceflpi.exe
File created	C:\Windows\SysWOW64\Pbljoafi.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Aahgec32.dll	Bmfqngcg.exe
File created	C:\Windows\SysWOW64\Dlncla32.exe	Dipgpf32.exe
File created	C:\Windows\SysWOW64\Cdkdne32.dll	Qbngeadf.exe
File created	C:\Windows\SysWOW64\Qmckbjdl.exe	Qelcamcj.exe
File opened for modification	C:\Windows\SysWOW64\Cpifeb32.exe	Bipnihgi.exe
File opened for modification	C:\Windows\SysWOW64\Cbjogmlf.exe	Clpgkcdj.exe
File created	C:\Windows\SysWOW64\Ncmaai32.exe	Nhgmcp32.exe
File created	C:\Windows\SysWOW64\Pmhkflnj.exe	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Dqjhif32.dll	Abcppq32.exe
File created	C:\Windows\SysWOW64\Agdghm32.dll	Bliajd32.exe
File created	C:\Windows\SysWOW64\Nkeoha32.dll	Bimach32.exe
File created	C:\Windows\SysWOW64\Obnnnc32.exe	Omaeem32.exe
File opened for modification	C:\Windows\SysWOW64\Pkoemhao.exe	Piaiqlak.exe
File created	C:\Windows\SysWOW64\Qmanljfo.exe	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Abemep32.exe	Alkeifga.exe
File opened for modification	C:\Windows\SysWOW64\Bfabmmhe.exe	Bpgjpb32.exe
File opened for modification	C:\Windows\SysWOW64\Nofoki32.exe	Nlgbon32.exe
File created	C:\Windows\SysWOW64\Jknmpb32.dll	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Qejfkmem.exe	Pbljoafi.exe
File opened for modification	C:\Windows\SysWOW64\Amoknh32.exe	Abjfqpji.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5264	5984	WerFault.exe	193

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjfqpji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clpgkcdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cehlcikj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefjnno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bemlhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinjjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alkeifga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clijablo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookhfigk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlncla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piceflpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qejfkmem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammnhilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cifdjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhfknjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbhbbn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdgijhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbnbemf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijcpmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbgqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbljoafi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odedipge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfeijqqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimhmkgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjdki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijlgkjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nheqnpjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obpkcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apimodmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bflham32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mclhjkfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpbpecen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabmmhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeffgkkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfppoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b9a06e8161cd3e33a72c0d0e8348dea7bbd1fc46fc739481db8615f2100e1a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjlap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cekhihig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohncdobq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpgjpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhgmcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmaai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecialmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bliajd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbjogmlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnpio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmmgof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amoknh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bppcpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipnihgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciiaogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhiabbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciknefmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofoki32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohhfknjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abemep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adljdi32.dll"	Abemep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbehfpe.dll"	Cdjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cehlcikj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbbnbemf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjfpp32.dll"	Cehlcikj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nofoki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapijd32.dll"	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Piceflpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bppcpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfaml32.dll"	Mclhjkfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipjam32.dll"	Nofoki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeffgkkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdkdne32.dll"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbaehl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffcf32.dll"	1b9a06e8161cd3e33a72c0d0e8348dea7bbd1fc46fc739481db8615f2100e1a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqbolk32.dll"	Bppcpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgdgijhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjonchmn.dll"	Nheqnpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdaaqg32.dll"	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijflc32.dll"	Pijcpmhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dipgpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iipkfmal.dll"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abcppq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbhbbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjgnln32.dll"	Dibdeegc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmanljfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abjfqpji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipiefce.dll"	Amoknh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfabmmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgmiidl.dll"	Cekhihig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	1b9a06e8161cd3e33a72c0d0e8348dea7bbd1fc46fc739481db8615f2100e1a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nheqnpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpkdlkd.dll"	Obpkcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmmgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbfoclai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfppoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cekhihig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdnon32.dll"	Dbfoclai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiebmbnn.dll"	Nlefjnno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknmpb32.dll"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeffgkkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhopqko.dll"	Bflham32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bliajd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnmfk32.dll"	Mhiabbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnoch32.dll"	Cpifeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famnbgil.dll"	Apimodmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffopp32.dll"	Dgdgijhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmlbk32.dll"	Ldkhlcnb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 5076	1480	1b9a06e8161cd3e33a72c0d0e8348dea7bbd1fc46fc739481db8615f2100e1a9.exe	90
PID 1480 wrote to memory of 5076	1480	1b9a06e8161cd3e33a72c0d0e8348dea7bbd1fc46fc739481db8615f2100e1a9.exe	90
PID 1480 wrote to memory of 5076	1480	1b9a06e8161cd3e33a72c0d0e8348dea7bbd1fc46fc739481db8615f2100e1a9.exe	90
PID 5076 wrote to memory of 784	5076	Ldkhlcnb.exe	91
PID 5076 wrote to memory of 784	5076	Ldkhlcnb.exe	91
PID 5076 wrote to memory of 784	5076	Ldkhlcnb.exe	91
PID 784 wrote to memory of 3024	784	Mclhjkfa.exe	92
PID 784 wrote to memory of 3024	784	Mclhjkfa.exe	92
PID 784 wrote to memory of 3024	784	Mclhjkfa.exe	92
PID 3024 wrote to memory of 3952	3024	Mhiabbdi.exe	93
PID 3024 wrote to memory of 3952	3024	Mhiabbdi.exe	93
PID 3024 wrote to memory of 3952	3024	Mhiabbdi.exe	93
PID 3952 wrote to memory of 4372	3952	Nlnpio32.exe	94
PID 3952 wrote to memory of 4372	3952	Nlnpio32.exe	94
PID 3952 wrote to memory of 4372	3952	Nlnpio32.exe	94
PID 4372 wrote to memory of 3580	4372	Nomlek32.exe	95
PID 4372 wrote to memory of 3580	4372	Nomlek32.exe	95
PID 4372 wrote to memory of 3580	4372	Nomlek32.exe	95
PID 3580 wrote to memory of 3976	3580	Nheqnpjk.exe	96
PID 3580 wrote to memory of 3976	3580	Nheqnpjk.exe	96
PID 3580 wrote to memory of 3976	3580	Nheqnpjk.exe	96
PID 3976 wrote to memory of 1716	3976	Ncjdki32.exe	98
PID 3976 wrote to memory of 1716	3976	Ncjdki32.exe	98
PID 3976 wrote to memory of 1716	3976	Ncjdki32.exe	98
PID 1716 wrote to memory of 2704	1716	Nhgmcp32.exe	100
PID 1716 wrote to memory of 2704	1716	Nhgmcp32.exe	100
PID 1716 wrote to memory of 2704	1716	Nhgmcp32.exe	100
PID 2704 wrote to memory of 5108	2704	Ncmaai32.exe	101
PID 2704 wrote to memory of 5108	2704	Ncmaai32.exe	101
PID 2704 wrote to memory of 5108	2704	Ncmaai32.exe	101
PID 5108 wrote to memory of 2120	5108	Nfknmd32.exe	102
PID 5108 wrote to memory of 2120	5108	Nfknmd32.exe	102
PID 5108 wrote to memory of 2120	5108	Nfknmd32.exe	102
PID 2120 wrote to memory of 1548	2120	Nlefjnno.exe	103
PID 2120 wrote to memory of 1548	2120	Nlefjnno.exe	103
PID 2120 wrote to memory of 1548	2120	Nlefjnno.exe	103
PID 1548 wrote to memory of 4840	1548	Nbbnbemf.exe	105
PID 1548 wrote to memory of 4840	1548	Nbbnbemf.exe	105
PID 1548 wrote to memory of 4840	1548	Nbbnbemf.exe	105
PID 4840 wrote to memory of 2792	4840	Nlgbon32.exe	106
PID 4840 wrote to memory of 2792	4840	Nlgbon32.exe	106
PID 4840 wrote to memory of 2792	4840	Nlgbon32.exe	106
PID 2792 wrote to memory of 2772	2792	Nofoki32.exe	107
PID 2792 wrote to memory of 2772	2792	Nofoki32.exe	107
PID 2792 wrote to memory of 2772	2792	Nofoki32.exe	107
PID 2772 wrote to memory of 1588	2772	Ohncdobq.exe	108
PID 2772 wrote to memory of 1588	2772	Ohncdobq.exe	108
PID 2772 wrote to memory of 1588	2772	Ohncdobq.exe	108
PID 1588 wrote to memory of 4788	1588	Oohkai32.exe	109
PID 1588 wrote to memory of 4788	1588	Oohkai32.exe	109
PID 1588 wrote to memory of 4788	1588	Oohkai32.exe	109
PID 4788 wrote to memory of 3116	4788	Odedipge.exe	110
PID 4788 wrote to memory of 3116	4788	Odedipge.exe	110
PID 4788 wrote to memory of 3116	4788	Odedipge.exe	110
PID 3116 wrote to memory of 4704	3116	Ookhfigk.exe	111
PID 3116 wrote to memory of 4704	3116	Ookhfigk.exe	111
PID 3116 wrote to memory of 4704	3116	Ookhfigk.exe	111
PID 4704 wrote to memory of 4664	4704	Ocfdgg32.exe	112
PID 4704 wrote to memory of 4664	4704	Ocfdgg32.exe	112
PID 4704 wrote to memory of 4664	4704	Ocfdgg32.exe	112
PID 4664 wrote to memory of 3980	4664	Odgqopeb.exe	113
PID 4664 wrote to memory of 3980	4664	Odgqopeb.exe	113
PID 4664 wrote to memory of 3980	4664	Odgqopeb.exe	113
PID 3980 wrote to memory of 2736	3980	Okailj32.exe	114

C:\Users\Admin\AppData\Local\Temp\1b9a06e8161cd3e33a72c0d0e8348dea7bbd1fc46fc739481db8615f2100e1a9.exe
"C:\Users\Admin\AppData\Local\Temp\1b9a06e8161cd3e33a72c0d0e8348dea7bbd1fc46fc739481db8615f2100e1a9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\Ldkhlcnb.exe
  C:\Windows\system32\Ldkhlcnb.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SysWOW64\Mclhjkfa.exe
    C:\Windows\system32\Mclhjkfa.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:784
  - - C:\Windows\SysWOW64\Mhiabbdi.exe
      C:\Windows\system32\Mhiabbdi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3952
      - C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Nlefjnno.exe
        
        C:\Windows\system32\Nlefjnno.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Nbbnbemf.exe
        
        C:\Windows\system32\Nbbnbemf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        36⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\Alkeifga.exe
        
        C:\Windows\system32\Alkeifga.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Abemep32.exe
        
        C:\Windows\system32\Abemep32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Aecialmb.exe
        
        C:\Windows\system32\Aecialmb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Aeffgkkp.exe
        
        C:\Windows\system32\Aeffgkkp.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Ammnhilb.exe
        
        C:\Windows\system32\Ammnhilb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\Abjfqpji.exe
        
        C:\Windows\system32\Abjfqpji.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Amoknh32.exe
        
        C:\Windows\system32\Amoknh32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Bblcfo32.exe
        
        C:\Windows\system32\Bblcfo32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1332
        
        C:\Windows\SysWOW64\Bmagch32.exe
        
        C:\Windows\system32\Bmagch32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:680
        
        C:\Windows\SysWOW64\Bppcpc32.exe
        
        C:\Windows\system32\Bppcpc32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Bpbpecen.exe
        
        C:\Windows\system32\Bpbpecen.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\SysWOW64\Bflham32.exe
        
        C:\Windows\system32\Bflham32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Bmfqngcg.exe
        
        C:\Windows\system32\Bmfqngcg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Bfoegm32.exe
        
        C:\Windows\system32\Bfoegm32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Bimach32.exe
        
        C:\Windows\system32\Bimach32.exe
        68⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Bpgjpb32.exe
        
        C:\Windows\system32\Bpgjpb32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Bfabmmhe.exe
        
        C:\Windows\system32\Bfabmmhe.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Bipnihgi.exe
        
        C:\Windows\system32\Bipnihgi.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Cpifeb32.exe
        
        C:\Windows\system32\Cpifeb32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Cbhbbn32.exe
        
        C:\Windows\system32\Cbhbbn32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Cbjogmlf.exe
        
        C:\Windows\system32\Cbjogmlf.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Cmpcdfll.exe
        
        C:\Windows\system32\Cmpcdfll.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Cdjlap32.exe
        
        C:\Windows\system32\Cdjlap32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Cekhihig.exe
        
        C:\Windows\system32\Cekhihig.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Cifdjg32.exe
        
        C:\Windows\system32\Cifdjg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Cboibm32.exe
        
        C:\Windows\system32\Cboibm32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Dllffa32.exe
        
        C:\Windows\system32\Dllffa32.exe
        89⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Dbfoclai.exe
        
        C:\Windows\system32\Dbfoclai.exe
        90⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Dipgpf32.exe
        
        C:\Windows\system32\Dipgpf32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Dlncla32.exe
        
        C:\Windows\system32\Dlncla32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Dgdgijhp.exe
        
        C:\Windows\system32\Dgdgijhp.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        95⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Dlqpaafg.exe
        
        C:\Windows\system32\Dlqpaafg.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        97⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 232
        99⤵
        Program crash
        
        PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5984 -ip 5984
1⤵
PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4404,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=1284 /prefetch:8
1⤵
PID:5304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amoknh32.exe

Filesize
74KB

MD5
3a101d2ac8dbaf29da9f026adaefeba8

SHA1
6289bcb4203d94e7d58cffb94cfd0c87c1816721

SHA256
d435ec3ca42cc22ef7144ff882d62c952b498d01a127e23523558566e5f25158

SHA512
da432ff20a48a42ef363b659ebafab0de540a5976261656886b7d0e4dd85f38ac1c5c6329293f138bd8cd78db70dc36a344b75e3c35e0f287f437a8507d77774

Download Submit
C:\Windows\SysWOW64\Cbhbbn32.exe

Filesize
74KB

MD5
9d2633a757eee3bb29c6492aa0db992f

SHA1
3efa811687af7bd6f2d57a1c65e220f4fb6e2cae

SHA256
2284f62b365447e17e27641216e7e3c9131a8e57210fae3a75f4f02154d61780

SHA512
bf8a546571e061bf27be255282e4a34f0cd62083b8b72b8e0a124a4882d6e30d53e9e57f1cefc6ae6560d16cd048890e924e2d88b84708bf3b06c0b8cf5f55f4

Download Submit
C:\Windows\SysWOW64\Cehlcikj.exe

Filesize
74KB

MD5
7d21ffbd086501a34d3be9488453b74c

SHA1
eb570d5690a35d64ec81e9bf9e8356e41a6e7b83

SHA256
a21bda71e4818d9b49fe5da71490a0ded53549d2dfcbf2d69c2f9fc4976324fc

SHA512
71758723cca5367aeac9c2d4e0779141e10d8fff42fa28cacfb99257745e0bac5b6013da5c1259574e25add7b38080c3ffa91183181f77f951be14fb04dde4f9

Download Submit
C:\Windows\SysWOW64\Cekhihig.exe

Filesize
74KB

MD5
46f21e747273fe5f92c62972c0edad8c

SHA1
e79c9020f4bcc1d13cc25009868675063077dbf2

SHA256
93c1552f6f2b90ad1aabcd0c0fa15e27bf5f63bfdacaba7415744e6f2cb872c3

SHA512
db31f791ff2583defef2163af33d76f7af738f16108270afb9115643ae008d2d062a87c5c7968532c5cc80471a7397a26c7c853ec55005ef9f969e32cae51f05

Download Submit
C:\Windows\SysWOW64\Ldkhlcnb.exe

Filesize
74KB

MD5
5fb6940788cff09ed0977e34df722f41

SHA1
4c550e0193d4607fe6510189a277958317d054ab

SHA256
c3ca0fa02420071a158ebf27d91a9fab95e636e451ff6543a63b210fca9b7613

SHA512
74e3475284af8d051958c2c616cb981e51049ba3b395866ffbd774c36cf7ee2568ef6466bae00fcd4768414c545a3b19a28939fa73efe260c2599e6af0ca7dd2

Download Submit
C:\Windows\SysWOW64\Mclhjkfa.exe

Filesize
74KB

MD5
f00267f7ab293a0e9c8f2e8db90f434f

SHA1
82bfdfa02a9c2d4ee09c4304f0eb5a42bff7fab1

SHA256
57fc0ebc2ffe887e0f9b84cc5cc607f9f69218329be75124e19a0dc0d98dc092

SHA512
8aca86af510b3bd608c4cc4ec83e873eacd8a831d50cf239301d7f503a0c6130156f89afe0f4655b7f7d7e3958165ac909d5f6c0013842f7f8e18044f089e6ee

Download Submit
C:\Windows\SysWOW64\Mhiabbdi.exe

Filesize
74KB

MD5
9b67cfb5f6bffe0dc10ba08c2959b01f

SHA1
1fe32355ec05d37228d3915bd3bcf84c9971365d

SHA256
1463f78530306a46b093785eee3a4994bd346133cb9afbc48a2ad1181db4215f

SHA512
f98e24f3eabd56778e1229f88024c2abcbb146ae4a9d7d4a43dade687ce07143c2cfd9d9ea66ea4b43d43144de75057a1dc35147d93f282ffea0f97565421483

Download Submit
C:\Windows\SysWOW64\Nbbnbemf.exe

Filesize
74KB

MD5
0c5db0dbae72e0cd975bef45e2033ec2

SHA1
2fd7b2a5a792fa86e27ab051d404b0d2c384ead5

SHA256
28b077bd8a7d812241f67a1f5f9c257ccdc9905d27d01e22c2aac2b0d8bc0230

SHA512
28f094190096959e5e46c62de1e66eec646be5a8646e880de960f4635a80d9d24de983d6dbdbae1d9dcd1dd35e528ad866ffde7a28ea9d17e36e7c454cd36537

Download Submit
C:\Windows\SysWOW64\Ncjdki32.exe

Filesize
74KB

MD5
20763b3daff094311df82f90d4b257cb

SHA1
e6289a457d6635e3bd90eb40dc80406eabd85856

SHA256
805ef3c4a2dfa1160c57c59f0eceef9afedd970785737a428cd4988e3e271322

SHA512
777c2bb4004b529b76f2423d56c8ceb5e28facf9645dfabb73e6ff4f7532353d917c5aed788b1fe99ddebf25b89c92a6b952e628bf659a705939dfaaf580ef72

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
74KB

MD5
8f36125675cb6b10980608188f5e8b87

SHA1
c47e23b65fbbb3d27aa20be15731c0cf9438ffda

SHA256
d4a77e496a835bf43be8fbe08fe3e80cbee9a10b2d223f99310854fd1f8151f7

SHA512
d8822647537d1ce4c96a8737688d7136c173b343eb40fbc720843fff6a1697b9fb4fefcdec01d210b44b4ad261943f0f190b6150f1e6cd6e36c7f5465ab08d80

Download Submit
C:\Windows\SysWOW64\Nfknmd32.exe

Filesize
74KB

MD5
d2f517a28f260bbf28f40eb3abfe7fa0

SHA1
97141a52ecd2287a023aed57cb3e45d5c0b68130

SHA256
1b98089b50c07236900038bb7546e1317efd20dfec0f601bf43c7deea8a45064

SHA512
a7bd3f3ab9d39050d313387297c8aadda12c0ae618fab892fe8601243d84c708864833c1c8bb8965334f6af7b235c31980d1e51deea52f8ab778a06a65ec0eb9

Download Submit
C:\Windows\SysWOW64\Nheqnpjk.exe

Filesize
74KB

MD5
3d862e0effa877c87e9836067cb9f586

SHA1
ee216ecee6b0aeeba8f88be58187928bdc8174e9

SHA256
07a7688f7afe8667e1d1b281ac582897d189ec8a32c2182b6d6a1617b0345716

SHA512
61744a5c367a26125829e689728cb86e95125f8c7ff9844f9db7434cae986614d6a8dc106e0067ca3269029954449a5cc4d56e7ccb45cfb1025f4e5f1b961929

Download Submit
C:\Windows\SysWOW64\Nhgmcp32.exe

Filesize
74KB

MD5
54f6d7bb84531b39c14133ce4e520479

SHA1
2dcf10de3fcbf35fb85e39f032690b0f585fac24

SHA256
a0778f719d27ebcfc01c75d110119f97bdf2f996e761f77f8badc6d571c9e0b6

SHA512
c6bfeb5e2b9164cb6b889fd4b09b2fed150d336980851389375a66fdb874d55950621db7fd360e9e103ede46eb758ec65eec218a56f4e4e09bd21ac3bdd4838e

Download Submit
C:\Windows\SysWOW64\Nlefjnno.exe

Filesize
74KB

MD5
2267b0118b1e356ebe438d9b0b72768e

SHA1
d20d9c7a95f0926ef7cae5cca2190c730bc0f801

SHA256
b020e8adba340b5ff9ea90fdec9ce886f3e31bbe667a30961560e6f045430819

SHA512
646b88cd0271e03591f6956e206876750ffc36d11ada0b1b95ac88c73453753fa2a23391901dfff4ece3fb323d93464c8348ba2027e9b5339d29581bcf19c0df

Download Submit
C:\Windows\SysWOW64\Nlgbon32.exe

Filesize
74KB

MD5
39825efc4793c857a41aeee56c2db3df

SHA1
a05f2e906c344fa90de66938473a19dc159e7f76

SHA256
8cb647ee249503e37e2f66f7261625a13cfd3fc23a82ea71172e84a629e9f04e

SHA512
0f7a2b6a86c8d9d68c4f213b807bb1601fd94eb00978f41ffa427335dff326d6300d4eb3f6fc35764d09ada4ef9cb07f5e9179c3850d14c80e4a176b913b307d

Download Submit
C:\Windows\SysWOW64\Nlnpio32.exe

Filesize
74KB

MD5
79a6bd842fea94a38c27d2a03185c3de

SHA1
7aebdde5801fb9e4b5c5f119eb9cb3880ae8f56a

SHA256
fa57366e46db0b20db06641a12e5fafc17602b4aa61186856e7d7b032b9a8b85

SHA512
0f7965611d5cfe7cad7f1399b135d68c82a3c28e981c783e74a3fdb624bc453dbaf081f2ffc6a6c7507f4f944013f7fb77c6d27548f548433e9a1c9dc8d9e087

Download Submit
C:\Windows\SysWOW64\Nofoki32.exe

Filesize
74KB

MD5
9be1662a65309b7893894903fed30a94

SHA1
ef7e35373f6884241f97885d1a1fd57731627d6c

SHA256
e3e07f2870a91d9eeca2acdb297d6f71f016a2db857f3f57e2d75d73f533e0d2

SHA512
aa054d39da3b1f60fbd8e9df2b92e0f5b4a4a45768a7cd0a6f1a2b3e62d9fd8de52f5d095ebbe3d8bbb6e36e7b3ec2a4f93ed56bcaf13cedae6b19782cf1aaec

Download Submit
C:\Windows\SysWOW64\Nomlek32.exe

Filesize
74KB

MD5
90e89592b912ccb72a88eeca26dc5ec1

SHA1
592d332ca538eae4fc360050b33237cd3e4348aa

SHA256
bcfa738617ee5406e5d3b7470bfd513656c900548b8b243ea7ca528c140147dc

SHA512
e26151e1e6c97517ec0bdc833f4bf11e72403286c244d6b4db14e395e7cc130edba2ded058a1925de9838a0a2f3b7c387c8d8dceaf8d4de597385dcf35529f1c

Download Submit
C:\Windows\SysWOW64\Obnnnc32.exe

Filesize
74KB

MD5
12ffeb7f047d1ecb08aeb51057075e95

SHA1
9c07847cb02985b1e7080524ca0a2ba8c2544786

SHA256
456dadb44f2ea6fba459f90a08c93d23987275bc899e31d77c5f3854e1ca1f06

SHA512
b53b158a33518258fdb1e1f301450b7bbe3717dc02b89d9bbd96ed129c2e39ac188ef46599e677c6b13ab1b177b0c792dd65e6f26870dbb58677871e15850482

Download Submit
C:\Windows\SysWOW64\Obpkcc32.exe

Filesize
74KB

MD5
a1a7d127784c3c840b8c63a8eea738a3

SHA1
757f0e7ca6ae2d1d8f87c4bb988c8020fe058c95

SHA256
70ad3b234302d8cc8b09be071760ae8853627675116df18fd6d40d890188c889

SHA512
54c641b6e4cb3064794b4b679572fa6420fdd7f8119f2fca321af7cb5bb83ce1d5d05d6e65b785d7dcde7516d9d41c5102640779584949263fdc4bc44d4fdd31

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
74KB

MD5
8fb1b9a7053c413fe6cd542f66e46dde

SHA1
8ee077966c5b5997b1d319059a7348803f47183f

SHA256
b1ec451ebe990e1e162106e75a4879d646f3c8c2bfeb334efed32445617af4ff

SHA512
b258ae4fa7b324398ed74a94ec1fe22a826157a5609c1e015575ab29411221631d9d6e588e87720636f8c5b15878165414bb2149792996f63c721583bd2e7256

Download Submit
C:\Windows\SysWOW64\Odedipge.exe

Filesize
74KB

MD5
04475d5c26578d4b7d17393408e466fb

SHA1
8673e4e6b81537f2e9af06486a1ba679e04b6701

SHA256
c06a175287802792eef6e8221010a668bd950b8b7b1a555f876297b276df3acd

SHA512
878b7c022825f7ab35727f3740d0d7458367e13abda4481c26eb046ed60c334ebc7bb08dd36b784a206df832766e5399675d9700692efe523a29567cda4f91bc

Download Submit
C:\Windows\SysWOW64\Odgqopeb.exe

Filesize
74KB

MD5
c0ffb1e8776904259d8bf29adb2ad3e5

SHA1
a13ff11388291e18c28c1eb90dc653ff8697199f

SHA256
775cd22b995b7a0a9a7219bc2b54f92b7962a2489a3b98b4266ff2e585a8ad08

SHA512
0de9f08a64002cad1f71f6b9cfbc95232b514ecc55870e5dc4fde1d4c6858f9a5dd2f8292a50fe1b64aa3027a1b213a7b65f2ece1d281a2989f625b88d9d2593

Download Submit
C:\Windows\SysWOW64\Odjmdocp.exe

Filesize
74KB

MD5
a90b03ffe46f830bb92c6d84bee769ec

SHA1
ae5faf9845c667fa0b266a266836ad8af6ff01b0

SHA256
87d67fbeef5928c65cccd06348ff37c9da501e65299421fab6795ee60c1af950

SHA512
061657dc3c20a979945a4d0ab3d802ad63acc75118c305bcc95b5e3f6e97c3f6042c0e173896e1754d57ef02f4aee559f495b6a71ec99f560f03c299419c5b1e

Download Submit
C:\Windows\SysWOW64\Ohhfknjf.exe

Filesize
74KB

MD5
f5be941c701c84bff6730c8000c483ab

SHA1
99dc0d095c911dee16c62239efb68299798b14b4

SHA256
b56a0e04fa7a3cae76802abbf1417bc988dce1784cb757ab83584d5ada982b39

SHA512
7c5aa0db24067b8b5ee0098ab910456920a39c841686a56a2986207b3390c208f34e2e689ecdf260c9a4767b2065cfd4c65dedafd851710a4bb6ecc9d6740a1d

Download Submit
C:\Windows\SysWOW64\Ohncdobq.exe

Filesize
74KB

MD5
0545d6fbd2d079f730e987bd08efcf13

SHA1
e465793e8bcb1d40242a63921dbe2c51da3cacb1

SHA256
b10c72d98120250a026d2f0b9690ccdb133ad273f337f7845107cddf3a6d24e6

SHA512
308c10ae824c33ca4c6efe3d2a08c596c44374e910fa6bb1209f84d822a47282cbf09bd66c77b727205f2ac90999f1a4c156e39bdb35de05e1e1d31ba2684ccd

Download Submit
C:\Windows\SysWOW64\Okailj32.exe

Filesize
74KB

MD5
d026dfb68c9530cec6f4a95761b5184f

SHA1
d3ae82eb15755a24f93f189f1d7558e1d7c2922b

SHA256
b290b2d2d1e252c0e7ee63c7a3a53e665495a9124b0ea2a6049e8c93f01f7b72

SHA512
2ede501d5aa5ded79fed2310ae6b9d347c41eccb3c6a986ba19967074bd39de85f7c4d1984ce47ff426ad9abef98d3e452f756edf6eb2950b763300b37f1a96e

Download Submit
C:\Windows\SysWOW64\Omaeem32.exe

Filesize
74KB

MD5
e5e70bdc0a9864e5c46932f87f20976b

SHA1
ec438847aa97cb4affa190ca542793f3c13ba506

SHA256
c2e615ce9fb35dfd825dfcf207dc961b520f03b0e8f95c2f4880cbfa0f5f1687

SHA512
9a4ca801336416d6ff756ea358ff0a026c2ce71bae03fa6954baf9e57e18ff3e6677162681b2d1c5a83e49017206cdb7a7ec2b7feb2023cfa8ea776ec5c93d4e

Download Submit
C:\Windows\SysWOW64\Oohkai32.exe

Filesize
74KB

MD5
be59d994bb9304cbda53106e199cbb2b

SHA1
8d0c894d79da986311e9cc3520deb543a74d786c

SHA256
e3d2b620f0c5ec671e058f87eb25bb518c87e82a5777f0868ac9d80202b08c33

SHA512
e7526eb6ba23777f46de24858df000f7fcf88451303f4355ef51b7972d14b5f0a72a8d71bcc5382efc7d8bd5d601e1aa6b1208160ec353c1b6090478962c24ed

Download Submit
C:\Windows\SysWOW64\Ookhfigk.exe

Filesize
74KB

MD5
dbb14ba1131b6bce5f9d6802a98e78a1

SHA1
9015033e6d210f70ce7677436e9e2d3c86455571

SHA256
58ba0b16441d7980c7b310958ef33535c5ab8d2d5d1ad71b6ae69d2350ac5d0f

SHA512
4a22a6209ebe6dc35a3c7d841695075bb019f5c962081ecebd97c7d6d0b635aeacd5b254b76203b1049823a68ffc8d30ce3041768f4e774dc016307f526aec3e

Download Submit
C:\Windows\SysWOW64\Pcbdcf32.exe

Filesize
74KB

MD5
9f21f7d0a81b112f283ed66521909867

SHA1
0d553a7046418f848a60e30f1746aef017fca966

SHA256
9c1d66f728905f15e1fb6147dc448c2e1c2c8d235303a39c3e4307f9c4ec0eff

SHA512
5d66bb5154aa643269769e19f3d06f419cfbd706d5623505b3c8f8c2ffccd5ed7b3e6fd6805fd2109345cc205efe81924fefa9084a2d8b7816539b12a6d49286

Download Submit
C:\Windows\SysWOW64\Pcpgmf32.exe

Filesize
74KB

MD5
dfd42ae981b66a69757169d8cb15e502

SHA1
6c14396f7b5ff5699943bf0291544ac3b70e5617

SHA256
9395e256999ef1a34f7f1af31e6e2f068d16ca3ccc32c6eb11d37678a901c148

SHA512
e7acba87177b02d1f27ab7204cceb311ada7279e728323b2d2f783792d2a66325e4f33010bdbbeb5fae3cffad71ced2ea41f296f9fdd34f33b947de2e9dcd766

Download Submit
C:\Windows\SysWOW64\Pfppoa32.exe

Filesize
74KB

MD5
ea78b7c60d70a70cda431f93f60fc752

SHA1
9298dcce5e41cff9f60b69983d7853de7a3fab6f

SHA256
6129d70f4ddd4e24fba611029ae98f2dc72adf514e3651f78c3a3ccf79dad967

SHA512
85e21f5731b9df614e05931a0ba4ffdeaff7d9cb120b824e0f1c93249b0c5f9d34a0bbc26f4196a951ce04552a0ff7e49595a83ddb8d0c620e104214ab79c21f

Download Submit
C:\Windows\SysWOW64\Pijcpmhc.exe

Filesize
74KB

MD5
efa23abe76c7eeaffd7200f2973fa9a9

SHA1
85838dc043a2a852719253fe89d12341c050d686

SHA256
f19201f136390e667dc47d78b8d64d1aeb6f77face151e9bf6cbdaf94f20225d

SHA512
701f9c2d19db38fa8c95ea6837bb59c8f7aba6ce03b2e0b9f3c0bc1e8b6c6152c6c22d13acb59c8e33cd45b62308cf28b16ef208df8fb4cc800490dc9d374ea5

Download Submit
C:\Windows\SysWOW64\Piolkm32.exe

Filesize
74KB

MD5
c923cd6f7b6418c5bf05b141569a0410

SHA1
0a1d15008d3762a90206e05beba9815701e11e2c

SHA256
40e23e349facb5c6984c11eb952b73146e045cfde44908bf54091036aa07516d

SHA512
2865161c0057c9bf28a9308a6437c0578922c0863b22bb87f9d3185b41cee0d06c16fbb1ce802f19621d4c6dbe05fd141b88100daea3b61e3ad26d0c78e1d00a

Download Submit
C:\Windows\SysWOW64\Pmhegoin.dll

Filesize
7KB

MD5
2168665c16a404cbac984d7514d6f050

SHA1
bcf13a768af44ea70861a394773a2113befb3af7

SHA256
ecc97e1b6bf3643f5491a812b3175c6585467bfe09cddcdea59329c8f3503afe

SHA512
00e7eccc96784d2417037668e460702104e0a7be30b4d149558f3fae27d7841c3d1855144252c4032b0a00c8cfa79b3758c66d3579687eab475daf18457718e7

Download Submit
C:\Windows\SysWOW64\Pmhkflnj.exe

Filesize
74KB

MD5
a6f68b06e8e029aa6e9924a668864ee0

SHA1
fb30cae26b9ef80e451feffb256203819ff1cfdf

SHA256
0fc2d2eb7a251e2a54073151a5a478df28dfd90cc02d86cdee570f5446ade8ca

SHA512
39218719f9b27dc531290dffdc1fe5193a1f8403eef1caa9a9cedff28719bbd4092c769a9433d36ebc347b15f252e52b4178b4cc713ca058c84042bdd79d1857

Download Submit
memory/540-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/680-422-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/784-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/784-558-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/872-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1184-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1332-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1448-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1480-544-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1480-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1504-196-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1532-442-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1548-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1588-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1716-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1788-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1928-207-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2120-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2208-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2264-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2420-256-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2436-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2520-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2704-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2736-180-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2772-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2788-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2792-111-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3024-565-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3024-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3040-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3116-146-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3192-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3300-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3460-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3580-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3580-586-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3704-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3720-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3736-394-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3756-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3804-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3952-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3952-572-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3976-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3976-593-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3980-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4048-376-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4232-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4292-406-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4332-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4348-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4372-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4372-579-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4460-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4464-188-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4608-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4636-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4664-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4704-156-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4708-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4728-252-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4788-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4796-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4828-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4840-104-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4900-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5052-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5064-244-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5076-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5076-551-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5108-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5132-448-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5192-454-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5232-460-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5272-466-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5312-472-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5352-478-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5392-484-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5432-490-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5472-496-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5512-502-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5552-508-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5592-514-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5636-520-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5676-526-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5716-532-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5756-542-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5796-545-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5844-552-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5888-559-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5932-566-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5976-573-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/6020-580-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/6064-587-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/6116-594-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads