fc83c0a3590f1cb3ac6f3b385f56388c83c10b15c10a72aeaeb5708100d33dac

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc83c0a3590f1cb3ac6f3b385f56388c83c10b15c10a72aeaeb5708100d33dac.exe
Size

144KB
MD5

4fac1819546785c8b69a0f5eb35badcb
SHA1

020c8494535ad97e0492fe683f7629948bd336ba
SHA256

fc83c0a3590f1cb3ac6f3b385f56388c83c10b15c10a72aeaeb5708100d33dac
SHA512

cfd179d07d4ef643712f09eb0eb264a2aaf08fe414fc4b16ce05bdb28a55f59cd39f395a81f97da6ab12917974c4a64ea4d75b5fde8c65c95684cbd9a6b3039a
SSDEEP

3072:G/KHG3FDNkrUB3kremwc/gHq/Wp+YmKfxgQd:lCUoB3/fc/UmKyI

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkocol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nooikj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeopfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclppboi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odedipge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfpghccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfpghccm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ochamg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afceko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bipnihgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcila32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkhfek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qckfid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abemep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acdioc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odedipge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aimhmkgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alkeifga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bihhhi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beoimjce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpemkcck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpemkcck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cibkohef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aimhmkgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aiabhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beaecjab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkapelka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclppboi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nooikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjckkcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alkeifga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abemep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcbeqaia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpcdfll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcjldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndlacapp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhjjip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beaecjab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ollljmhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aioebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bblcfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcbeqaia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Namegfql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejobk32.exe

Executes dropped EXE 64 IoCs

pid	Process
3324	Lkcccn32.exe
3088	Lcjldk32.exe
2860	Mkepineo.exe
3952	Mekdffee.exe
64	Mkocol32.exe
2588	Medglemj.exe
928	Nkapelka.exe
2704	Ndidna32.exe
2448	Nooikj32.exe
3328	Namegfql.exe
2832	Ndlacapp.exe
3732	Napameoi.exe
4392	Nhjjip32.exe
3796	Nkhfek32.exe
4104	Nhlfoodc.exe
4788	Nkjckkcg.exe
3736	Nfpghccm.exe
184	Oljoen32.exe
1600	Odedipge.exe
4052	Ollljmhg.exe
4960	Ohcmpn32.exe
2364	Ochamg32.exe
2244	Odjmdocp.exe
408	Oooaah32.exe
1316	Ohhfknjf.exe
5012	Okfbgiij.exe
4596	Oflfdbip.exe
348	Pkholi32.exe
3564	Pbbgicnd.exe
2288	Pmhkflnj.exe
4964	Pbddobla.exe
3220	Pmjhlklg.exe
1684	Pcdqhecd.exe
3620	Peempn32.exe
4704	Pmmeak32.exe
4436	Pcfmneaa.exe
4340	Pehjfm32.exe
4884	Pkabbgol.exe
1504	Pcijce32.exe
2720	Qejfkmem.exe
3040	Qmanljfo.exe
4440	Qckfid32.exe
1576	Qfjcep32.exe
2872	Qmckbjdl.exe
312	Qcncodki.exe
676	Aeopfl32.exe
3660	Akihcfid.exe
920	Abcppq32.exe
4220	Aimhmkgn.exe
2324	Alkeifga.exe
3940	Abemep32.exe
4904	Aioebj32.exe
4864	Acdioc32.exe
1588	Afceko32.exe
3280	Aiabhj32.exe
468	Acgfec32.exe
3976	Afeban32.exe
1132	Albkieqj.exe
4900	Bblcfo32.exe
980	Bejobk32.exe
2764	Bmagch32.exe
4828	Bclppboi.exe
3596	Bfjllnnm.exe
2664	Bihhhi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Peempn32.exe	Pcdqhecd.exe
File created	C:\Windows\SysWOW64\Hkidlkmq.dll	Ohhfknjf.exe
File created	C:\Windows\SysWOW64\Nhjjip32.exe	Napameoi.exe
File opened for modification	C:\Windows\SysWOW64\Aeopfl32.exe	Qcncodki.exe
File opened for modification	C:\Windows\SysWOW64\Aimhmkgn.exe	Abcppq32.exe
File created	C:\Windows\SysWOW64\Hkjfpp32.dll	Cehlcikj.exe
File created	C:\Windows\SysWOW64\Adlafb32.dll	Cmgjee32.exe
File created	C:\Windows\SysWOW64\Nkapelka.exe	Medglemj.exe
File created	C:\Windows\SysWOW64\Oflfdbip.exe	Okfbgiij.exe
File created	C:\Windows\SysWOW64\Qmanljfo.exe	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Ifoglp32.dll	Qcncodki.exe
File created	C:\Windows\SysWOW64\Gdokakcj.dll	Aimhmkgn.exe
File created	C:\Windows\SysWOW64\Albkieqj.exe	Afeban32.exe
File created	C:\Windows\SysWOW64\Elgide32.dll	Bcbeqaia.exe
File opened for modification	C:\Windows\SysWOW64\Mkocol32.exe	Mekdffee.exe
File opened for modification	C:\Windows\SysWOW64\Bfjllnnm.exe	Bclppboi.exe
File created	C:\Windows\SysWOW64\Beoimjce.exe	Bpbpecen.exe
File created	C:\Windows\SysWOW64\Nfcnnnil.dll	Cmpcdfll.exe
File created	C:\Windows\SysWOW64\Ddcogo32.exe	Dfonnk32.exe
File created	C:\Windows\SysWOW64\Bgcboj32.dll	Peempn32.exe
File created	C:\Windows\SysWOW64\Gdojoeki.dll	Ohcmpn32.exe
File opened for modification	C:\Windows\SysWOW64\Pkabbgol.exe	Pehjfm32.exe
File opened for modification	C:\Windows\SysWOW64\Akihcfid.exe	Aeopfl32.exe
File opened for modification	C:\Windows\SysWOW64\Cibkohef.exe	Cbhbbn32.exe
File created	C:\Windows\SysWOW64\Cfmahknh.exe	Cpcila32.exe
File created	C:\Windows\SysWOW64\Nfpghccm.exe	Nkjckkcg.exe
File created	C:\Windows\SysWOW64\Bpemkcck.exe	Beoimjce.exe
File created	C:\Windows\SysWOW64\Ndfchkio.dll	Cibkohef.exe
File created	C:\Windows\SysWOW64\Pdkpjeba.dll	Cboibm32.exe
File created	C:\Windows\SysWOW64\Mfppnk32.dll	Qfjcep32.exe
File created	C:\Windows\SysWOW64\Cmpcdfll.exe	Cehlcikj.exe
File created	C:\Windows\SysWOW64\Cpcila32.exe	Cboibm32.exe
File created	C:\Windows\SysWOW64\Ioeiam32.dll	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Nfoceoni.dll	Medglemj.exe
File created	C:\Windows\SysWOW64\Fklociap.dll	Ndlacapp.exe
File created	C:\Windows\SysWOW64\Nkebqokl.dll	Afeban32.exe
File opened for modification	C:\Windows\SysWOW64\Beoimjce.exe	Bpbpecen.exe
File opened for modification	C:\Windows\SysWOW64\Nkapelka.exe	Medglemj.exe
File opened for modification	C:\Windows\SysWOW64\Namegfql.exe	Nooikj32.exe
File created	C:\Windows\SysWOW64\Ohbikenl.dll	Okfbgiij.exe
File opened for modification	C:\Windows\SysWOW64\Qcncodki.exe	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Bpbpecen.exe	Bihhhi32.exe
File created	C:\Windows\SysWOW64\Agccao32.dll	Bpbpecen.exe
File opened for modification	C:\Windows\SysWOW64\Nooikj32.exe	Ndidna32.exe
File created	C:\Windows\SysWOW64\Amkejmgc.dll	Cbmlmmjd.exe
File opened for modification	C:\Windows\SysWOW64\Pbddobla.exe	Pmhkflnj.exe
File created	C:\Windows\SysWOW64\Napameoi.exe	Ndlacapp.exe
File created	C:\Windows\SysWOW64\Okcfidmn.dll	Napameoi.exe
File opened for modification	C:\Windows\SysWOW64\Pmhkflnj.exe	Pbbgicnd.exe
File opened for modification	C:\Windows\SysWOW64\Qckfid32.exe	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Dqjhif32.dll	Abcppq32.exe
File created	C:\Windows\SysWOW64\Pkjdhm32.dll	Abemep32.exe
File opened for modification	C:\Windows\SysWOW64\Bcbeqaia.exe	Beaecjab.exe
File created	C:\Windows\SysWOW64\Mekdffee.exe	Mkepineo.exe
File created	C:\Windows\SysWOW64\Nfmcle32.dll	Ddcogo32.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeak32.exe	Peempn32.exe
File created	C:\Windows\SysWOW64\Daliqjnc.dll	Pcfmneaa.exe
File created	C:\Windows\SysWOW64\Ndidna32.exe	Nkapelka.exe
File created	C:\Windows\SysWOW64\Pkholi32.exe	Oflfdbip.exe
File opened for modification	C:\Windows\SysWOW64\Nhlfoodc.exe	Nkhfek32.exe
File created	C:\Windows\SysWOW64\Pbbgicnd.exe	Pkholi32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dmnpfd32.exe
File opened for modification	C:\Windows\SysWOW64\Napameoi.exe	Ndlacapp.exe
File created	C:\Windows\SysWOW64\Ebldoh32.dll	Dfonnk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6060	5968	WerFault.exe	178

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cehlcikj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbmlmmjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfakcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpcdfll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmahknh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkepineo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfbgiij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qejfkmem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqhecd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejobk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkcccn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhjjip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfpghccm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ochamg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjhlklg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acdioc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Albkieqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibkohef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcogo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc83c0a3590f1cb3ac6f3b385f56388c83c10b15c10a72aeaeb5708100d33dac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndidna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oljoen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcmpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkapelka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmagch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmnpfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bihhhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcbeqaia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcjldk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhfknjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medglemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiabhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclppboi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Namegfql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peempn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afeban32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beoimjce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbhbbn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbpjfij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndlacapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abemep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afceko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfmneaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bblcfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfjllnnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjckkcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odedipge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbbgicnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhkflnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipnihgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cboibm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhlikpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acgfec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpbpecen.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcjldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbbgicnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjdhm32.dll"	Abemep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkhfek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alkeifga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bblcfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aiabhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bclppboi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	fc83c0a3590f1cb3ac6f3b385f56388c83c10b15c10a72aeaeb5708100d33dac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmcle32.dll"	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkocol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfiefp32.dll"	Acgfec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bclppboi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiaeig32.dll"	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanhkb32.dll"	Alkeifga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cibkohef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkidlkmq.dll"	Ohhfknjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daliqjnc.dll"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmpcdfll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgdeb32.dll"	Lkcccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjckkcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfjllnnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Namegfql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmpakdh.dll"	Namegfql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqjhif32.dll"	Abcppq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Albkieqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpemkcck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkpjeba.dll"	Cboibm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	fc83c0a3590f1cb3ac6f3b385f56388c83c10b15c10a72aeaeb5708100d33dac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfoceoni.dll"	Medglemj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklociap.dll"	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beaecjab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjfpp32.dll"	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenflo32.dll"	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdokakcj.dll"	Aimhmkgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndfchkio.dll"	Cibkohef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdkpe32.dll"	Lcjldk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Napameoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Albkieqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odjmdocp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 3324	1480	fc83c0a3590f1cb3ac6f3b385f56388c83c10b15c10a72aeaeb5708100d33dac.exe	90
PID 1480 wrote to memory of 3324	1480	fc83c0a3590f1cb3ac6f3b385f56388c83c10b15c10a72aeaeb5708100d33dac.exe	90
PID 1480 wrote to memory of 3324	1480	fc83c0a3590f1cb3ac6f3b385f56388c83c10b15c10a72aeaeb5708100d33dac.exe	90
PID 3324 wrote to memory of 3088	3324	Lkcccn32.exe	91
PID 3324 wrote to memory of 3088	3324	Lkcccn32.exe	91
PID 3324 wrote to memory of 3088	3324	Lkcccn32.exe	91
PID 3088 wrote to memory of 2860	3088	Lcjldk32.exe	92
PID 3088 wrote to memory of 2860	3088	Lcjldk32.exe	92
PID 3088 wrote to memory of 2860	3088	Lcjldk32.exe	92
PID 2860 wrote to memory of 3952	2860	Mkepineo.exe	93
PID 2860 wrote to memory of 3952	2860	Mkepineo.exe	93
PID 2860 wrote to memory of 3952	2860	Mkepineo.exe	93
PID 3952 wrote to memory of 64	3952	Mekdffee.exe	95
PID 3952 wrote to memory of 64	3952	Mekdffee.exe	95
PID 3952 wrote to memory of 64	3952	Mekdffee.exe	95
PID 64 wrote to memory of 2588	64	Mkocol32.exe	96
PID 64 wrote to memory of 2588	64	Mkocol32.exe	96
PID 64 wrote to memory of 2588	64	Mkocol32.exe	96
PID 2588 wrote to memory of 928	2588	Medglemj.exe	98
PID 2588 wrote to memory of 928	2588	Medglemj.exe	98
PID 2588 wrote to memory of 928	2588	Medglemj.exe	98
PID 928 wrote to memory of 2704	928	Nkapelka.exe	99
PID 928 wrote to memory of 2704	928	Nkapelka.exe	99
PID 928 wrote to memory of 2704	928	Nkapelka.exe	99
PID 2704 wrote to memory of 2448	2704	Ndidna32.exe	101
PID 2704 wrote to memory of 2448	2704	Ndidna32.exe	101
PID 2704 wrote to memory of 2448	2704	Ndidna32.exe	101
PID 2448 wrote to memory of 3328	2448	Nooikj32.exe	102
PID 2448 wrote to memory of 3328	2448	Nooikj32.exe	102
PID 2448 wrote to memory of 3328	2448	Nooikj32.exe	102
PID 3328 wrote to memory of 2832	3328	Namegfql.exe	103
PID 3328 wrote to memory of 2832	3328	Namegfql.exe	103
PID 3328 wrote to memory of 2832	3328	Namegfql.exe	103
PID 2832 wrote to memory of 3732	2832	Ndlacapp.exe	104
PID 2832 wrote to memory of 3732	2832	Ndlacapp.exe	104
PID 2832 wrote to memory of 3732	2832	Ndlacapp.exe	104
PID 3732 wrote to memory of 4392	3732	Napameoi.exe	105
PID 3732 wrote to memory of 4392	3732	Napameoi.exe	105
PID 3732 wrote to memory of 4392	3732	Napameoi.exe	105
PID 4392 wrote to memory of 3796	4392	Nhjjip32.exe	106
PID 4392 wrote to memory of 3796	4392	Nhjjip32.exe	106
PID 4392 wrote to memory of 3796	4392	Nhjjip32.exe	106
PID 3796 wrote to memory of 4104	3796	Nkhfek32.exe	107
PID 3796 wrote to memory of 4104	3796	Nkhfek32.exe	107
PID 3796 wrote to memory of 4104	3796	Nkhfek32.exe	107
PID 4104 wrote to memory of 4788	4104	Nhlfoodc.exe	108
PID 4104 wrote to memory of 4788	4104	Nhlfoodc.exe	108
PID 4104 wrote to memory of 4788	4104	Nhlfoodc.exe	108
PID 4788 wrote to memory of 3736	4788	Nkjckkcg.exe	109
PID 4788 wrote to memory of 3736	4788	Nkjckkcg.exe	109
PID 4788 wrote to memory of 3736	4788	Nkjckkcg.exe	109
PID 3736 wrote to memory of 184	3736	Nfpghccm.exe	110
PID 3736 wrote to memory of 184	3736	Nfpghccm.exe	110
PID 3736 wrote to memory of 184	3736	Nfpghccm.exe	110
PID 184 wrote to memory of 1600	184	Oljoen32.exe	111
PID 184 wrote to memory of 1600	184	Oljoen32.exe	111
PID 184 wrote to memory of 1600	184	Oljoen32.exe	111
PID 1600 wrote to memory of 4052	1600	Odedipge.exe	112
PID 1600 wrote to memory of 4052	1600	Odedipge.exe	112
PID 1600 wrote to memory of 4052	1600	Odedipge.exe	112
PID 4052 wrote to memory of 4960	4052	Ollljmhg.exe	113
PID 4052 wrote to memory of 4960	4052	Ollljmhg.exe	113
PID 4052 wrote to memory of 4960	4052	Ollljmhg.exe	113
PID 4960 wrote to memory of 2364	4960	Ohcmpn32.exe	114

C:\Users\Admin\AppData\Local\Temp\fc83c0a3590f1cb3ac6f3b385f56388c83c10b15c10a72aeaeb5708100d33dac.exe
"C:\Users\Admin\AppData\Local\Temp\fc83c0a3590f1cb3ac6f3b385f56388c83c10b15c10a72aeaeb5708100d33dac.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\Lkcccn32.exe
  C:\Windows\system32\Lkcccn32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Windows\SysWOW64\Lcjldk32.exe
    C:\Windows\system32\Lcjldk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\SysWOW64\Mkepineo.exe
      C:\Windows\system32\Mkepineo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\Mekdffee.exe
        
        C:\Windows\system32\Mekdffee.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3952
      - C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:184
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:348
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        48⤵
        Executes dropped EXE
        
        PID:3660
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Alkeifga.exe
        
        C:\Windows\system32\Alkeifga.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Abemep32.exe
        
        C:\Windows\system32\Abemep32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\Acdioc32.exe
        
        C:\Windows\system32\Acdioc32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Afceko32.exe
        
        C:\Windows\system32\Afceko32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Acgfec32.exe
        
        C:\Windows\system32\Acgfec32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Afeban32.exe
        
        C:\Windows\system32\Afeban32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Albkieqj.exe
        
        C:\Windows\system32\Albkieqj.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Bblcfo32.exe
        
        C:\Windows\system32\Bblcfo32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\Bmagch32.exe
        
        C:\Windows\system32\Bmagch32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Bclppboi.exe
        
        C:\Windows\system32\Bclppboi.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Bfjllnnm.exe
        
        C:\Windows\system32\Bfjllnnm.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Bihhhi32.exe
        
        C:\Windows\system32\Bihhhi32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\Bpbpecen.exe
        
        C:\Windows\system32\Bpbpecen.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Beoimjce.exe
        
        C:\Windows\system32\Beoimjce.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Bpemkcck.exe
        
        C:\Windows\system32\Bpemkcck.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Bcbeqaia.exe
        
        C:\Windows\system32\Bcbeqaia.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Bipnihgi.exe
        
        C:\Windows\system32\Bipnihgi.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Cbhbbn32.exe
        
        C:\Windows\system32\Cbhbbn32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\Cibkohef.exe
        
        C:\Windows\system32\Cibkohef.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Cmpcdfll.exe
        
        C:\Windows\system32\Cmpcdfll.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Cbmlmmjd.exe
        
        C:\Windows\system32\Cbmlmmjd.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Cmbpjfij.exe
        
        C:\Windows\system32\Cmbpjfij.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Cboibm32.exe
        
        C:\Windows\system32\Cboibm32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Cfmahknh.exe
        
        C:\Windows\system32\Cfmahknh.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        87⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 412
        88⤵
        Program crash
        
        PID:6060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5968 -ip 5968
1⤵
PID:6036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2540,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:8
1⤵
PID:5964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aiabhj32.exe

Filesize
144KB

MD5
9abb8785ddd85fa2c389a51d4c2f8620

SHA1
23184d15ac70170b30ef1d77d8dd82beda3eae67

SHA256
ac04587ecdf48295b21059c700fd84c8cc9608ea1d8ef98a11a9c3a0d72888a6

SHA512
b7569b644de140e269ed91d00e565f37987a8e1aefade816143cebb10e294f12fd52f6ed794bb9ed96b99abaa901fe26ae4c86e12e97b309009fc2c3d544f1e3

Download Submit
C:\Windows\SysWOW64\Bejobk32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Bpbpecen.exe

Filesize
144KB

MD5
65fa801a50c29d2b2ebfd7fdb37cb7b1

SHA1
5a595424f2c6cdadd247a6fb2b42aad5e1bf02f6

SHA256
bb78ea68b782c21c3e6f7438230a65a7b14be01c97483cb9dc25f11fb586f72b

SHA512
188d27cf756e068d7a7b1e10050b236dde08401423c365c441be9abf6b33426f5f675e683908d320a5d6c9beeff443cac8db6afbd0da9d4314efa3d22c904d0a

Download Submit
C:\Windows\SysWOW64\Cbgabh32.dll

Filesize
7KB

MD5
6f6e53963fc4ca752a50397e034b8b1f

SHA1
40f96fbfd64a6f9a13d9603517d9e7c76667f8db

SHA256
009a52709839db9b171ecc04ada2dc0e76cc5f402d57d2cdc20c874f3b4b45f0

SHA512
87dd20be0e26867a893b4a992cbe6ff2721954e31486c91056c64f584861332d287832de265e340cf73560dc8567161b1f352ea613b858efcbeb5ffd75a98f3d

Download Submit
C:\Windows\SysWOW64\Cmbpjfij.exe

Filesize
144KB

MD5
a91f83db1e0b8284f7bdc7eb5c0e8a91

SHA1
63d8001f2b209fc085350e5e026be911f215d59d

SHA256
3c8176dfe68bfd494714c9e4e6e3748c1a6cee1c35e921ee51e3175f3ffcbed3

SHA512
9dbeeb03dc698d03e1583538963a40075b397758ab0d05503bbf31a04c37e19eb985484714bfd643b436c1456b069db8ee6ea017845af48d0fcb9e4906ef0038

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
144KB

MD5
e3c02820889dafa09885ab3219117fc9

SHA1
f15e17b5183638a28ba065377b55ad2c85ca1306

SHA256
9467be6da26609b9872689750a4de701db3334ae91964c5aa3ba5cfa243a8b1c

SHA512
15fcfbadbd79a39b10f4a66de2d8811db4ea8a4c01872c2659b1651548dfbbde92eed9cad3a6e1c64ad626528663cd6e95bbcdb45fc5a8d7b643e114a7fd671a

Download Submit
C:\Windows\SysWOW64\Dfonnk32.exe

Filesize
144KB

MD5
1e3839355f3dfa79795c408562e4f361

SHA1
71f2088470a94c72e110593e04aef07291ce7274

SHA256
0751bb1339c4e10cca8deb1c7843b34fbdf0d24c627249ce7fffe518562d09ba

SHA512
1f0c82c58004f2554dd988c3e4a7f97c3298bd52dd437c02ed33a30887e911078369d5c797c59ace9c1fc9c3f0455d0a7e6ea748a172a2fa3417c6ce0296daae

Download Submit
C:\Windows\SysWOW64\Lcjldk32.exe

Filesize
144KB

MD5
aa00e1b1a9a9715b8a5c145fe96ce94c

SHA1
0f82170e57788e2c0746b9a80e737fc890dce4b3

SHA256
b7c0ec57e15991cc4a8199b6c9baa21b49237d0838c578ce22ccf57e6a853644

SHA512
30bc363a61dfd18824e90fe35c48953453488d33c6849bee69779083dc39819b86f86059d80f396d696430f8a54003d204369f61f51abef0c26dc15d303d2329

Download Submit
C:\Windows\SysWOW64\Lkcccn32.exe

Filesize
144KB

MD5
d0d727da7170b668578341aa12dbca0c

SHA1
36a63566235e0605a988fe3aa4de4d0864576033

SHA256
8073c17cb65976b84001c4a8da140c7dba3d4deebef897982b154e2e335b818d

SHA512
262ade40b959345ec70889cd82aab20348dd60355abe25920f518ff1bd16d40487cfcb36b1c982201f0f5ad7993e3f956bf4ab6ac9d8fba477c3b1e74f3d1ed3

Download Submit
C:\Windows\SysWOW64\Medglemj.exe

Filesize
144KB

MD5
84c2a14179b60ef810e0b54b7a89ceb9

SHA1
42dc290bf1d87648808791868b9c1d7d62f5030d

SHA256
67aba53ff01da408588cea37115d53d16f19e5b56d2874446fe32e17452df7df

SHA512
d5855e375b97da8bdcba3cd84bf4beb220987b52fb279b648198dd9eed08ae4201d36ceee2357ea8d733ceef20ffa04999974ed709a934eed63192a491ea3ca0

Download Submit
C:\Windows\SysWOW64\Mekdffee.exe

Filesize
144KB

MD5
0acde8d2448698b18af53d5dbd1bb17f

SHA1
06fc66f163a69429b8efccde8f1a512474ebbdd2

SHA256
469bce70a87a54d3d85d41e176ff6ec4b81b4801f9371a63aa4036f48408ef06

SHA512
5f1b1aa16a5743b6b889d3921bffa95291bbe5409fc4aba6195c745909e9db2657dca112a0a6fdf3d6c75a39356d16ca0be426a728a815ef89c5602270a62ef5

Download Submit
C:\Windows\SysWOW64\Mkepineo.exe

Filesize
144KB

MD5
90855982376bb1d355841cfba6879a6a

SHA1
e4de7b06d6f4fa465d5914dce8cc9688da42311b

SHA256
bd868df7f51cc7f8e1750166309e281055fd289810d568b46371917e92b9f0c5

SHA512
6e11050d48f6ce3a6e5c4b1497adf1e8fef3b6206d1642200c0050bddf4cf1e6e2baa3c147c8465bbdf377eab1a217cdccac64fe976d07216aed9676630d307e

Download Submit
C:\Windows\SysWOW64\Mkocol32.exe

Filesize
144KB

MD5
317e5eff8533b7a2c8617c07ff6790ec

SHA1
2d719265c91c1e98797134f7afe7538684e58a15

SHA256
209cc16434017a6672fa5319b5dd55d504f6a8f11af1c4a9b02e0939b9fa7cbc

SHA512
eb46ed4aa86e70536179ce17fd8bdb00b343d85fe3db00a5c67e94a94b99f7be5315f20143339ff72df5308614b87e20828dfe9ff1fcfd73cbf1ae375a8bb270

Download Submit
C:\Windows\SysWOW64\Namegfql.exe

Filesize
144KB

MD5
803dacd4ce6ab53d98819f0f12c08c4e

SHA1
790bc3dcbfbbd0b3cee6cf7e741603d614bb6cd9

SHA256
93af074835f3f57a3da0c0e6ccc7c1b0f4e65233e21a0cec18cfe14bf69b9eaf

SHA512
b54b48051fbe0d80eb82e428aabb6180c695fcccf66e51b608cf7e56cee182b8095beb6acd94b86625b27e09f0290ef3f02639f2a6c8badaa9c26e7d990ffa0a

Download Submit
C:\Windows\SysWOW64\Napameoi.exe

Filesize
144KB

MD5
46ad7afe1ac6e4fd76c924d584ee776d

SHA1
92fe986323b85cba7ac1e5bae9fc1c4927067089

SHA256
b92df80cc928d2e89ae6ee11393d1d5a0476db1414685820d48d7284e665f572

SHA512
329ca1a8f8b4bf6209704056f519e3bae732da1b68d2c639fd11566dd52e1fe6f4f3adae70243a6a8ece0909e3a818e20d603e90ccccbc1d94f249322b69adc4

Download Submit
C:\Windows\SysWOW64\Ndidna32.exe

Filesize
144KB

MD5
84d77c119526655e1d7c5b0bd1d67f3e

SHA1
39a7f5a5e52383d284f6553a1f7c78315383cd15

SHA256
8262913d5515cea0ad348106793f3b857bc75513952bca164fbf93c2a7877383

SHA512
a569e534edb6c118bab8d4c15b94c8ca08a1c42c507fffe3699fcc3307086e034551434cc3d56b787bdb13ac5beaa37780219bfdee043c9a9c893aaab3bfeb82

Download Submit
C:\Windows\SysWOW64\Ndlacapp.exe

Filesize
144KB

MD5
b8f3485fd19cb0694129a44c43a5bb4e

SHA1
4799d132c0502028ce4641588ea3d51e1db212d7

SHA256
e42fd45bac29dc5725851a37c7f7cba48d05afa2d20f323e320927b3cebd8a04

SHA512
75e9f18f02cc107ce4584772bd169cc961928066762642dca9901efce850320218a323c3b6b612fff218932f32a996033e2403a60f4ff656d3e1669f32cb7408

Download Submit
C:\Windows\SysWOW64\Nfpghccm.exe

Filesize
144KB

MD5
ee448047bca24737094f0d004fa3ae47

SHA1
2181638354f5e8359deae398ecab50e770dffb12

SHA256
a1456b97541453c73cebf29b4fae86a8d3297d1c55bd061272bea71104b3e2c6

SHA512
af0c6bd3ea248141ce6aa44a8dc6ef30302832a9edc8b32de1af84dc63a3ae900c57635263edd30b2b01f2ffe2d3f2c814023f989e8e8026befed1fa125767db

Download Submit
C:\Windows\SysWOW64\Nhjjip32.exe

Filesize
144KB

MD5
78f438ca7d1d295c1177e64512ff4f2f

SHA1
b0d531c5ecfdd240275192641439953fb86173f3

SHA256
d687b63fb732777c8dde31131ed3bedcefa0ce86495a8c0d806916532a8d1c97

SHA512
84c007a9dcf244aa1a96e2065468d15c2deb37217a5521f70fcc79115c42e6180a16117efe5382fad0f106090505166868e3834cdcb069a23e1ccd7941723627

Download Submit
C:\Windows\SysWOW64\Nhlfoodc.exe

Filesize
144KB

MD5
1f5620f6c10433d33b2c9ff4c7daeebf

SHA1
1f24694cc7ab4c2a46f4b11e37ea9337dfdc5c0e

SHA256
62b584997b60d65a87494130b23187d26e4a2abe0f8fdd933776adc97159b6c2

SHA512
d2770eef0f9362cf7f6e61c03622611d39c13287375715faf19676965c1d850f005e951b9b978cc3cce2752b2359439024ebbad7b8c87e7731d84d0f676ae0cb

Download Submit
C:\Windows\SysWOW64\Nkapelka.exe

Filesize
144KB

MD5
3dca3d24c86ae5187363c5a477152cde

SHA1
86fadedb9868961953accd1d540b8355b3544dbb

SHA256
8c81fe5cbeae40e716f554eb45a029e5e5007fdf652096486b4a4fdf4188b33b

SHA512
7024783cc114c5464117e7d6b32463b280f18f34300d164e70aac7a155e3d855bc1d467ed9aa41bed69c818c9ecb60a3ae7ffa001b6fae618788e047d9cf12c7

Download Submit
C:\Windows\SysWOW64\Nkhfek32.exe

Filesize
144KB

MD5
0b2f11ad8cc2f0b463ad6f35ae1ac0ce

SHA1
d0af9be12085fdb38de2f6616cb69d9a6a67008b

SHA256
8382d40575979130880c68454598bb4b524f5b5666a47a02deeffacb520938cc

SHA512
a8b8ea786962f1bed0378f92b5d5e6f7f8a0af99632eeb177a12425107a8d72e48d3881491387a1cc15c53422bcc40512afe4a01572e75dfb94a05621b0da457

Download Submit
C:\Windows\SysWOW64\Nkjckkcg.exe

Filesize
144KB

MD5
2586b57aa73fa8b21083396fbab48a54

SHA1
2dc938357d5f1bbb635c3beed6250dea7297d633

SHA256
9e341ad0f91dddceba058697e7a7cc2d09b6ae2a1f062a485700ff52a72d0143

SHA512
1077518fd8c7821a34ef35d889e945aa0f19e0423df4d223128a46fa27e4d8f046d146c07588538d089732f26385d9a43839d94350b36641cf0bdcfe50ed8ccd

Download Submit
C:\Windows\SysWOW64\Nooikj32.exe

Filesize
144KB

MD5
937c8c3e86d8ca59963856a7b22877c4

SHA1
581f47b4387a56fb42d469226077877d161e9de5

SHA256
4a9df6cccab471bfa5d75725d734111cc9cae7d3fbbe50d971a55c02a260c245

SHA512
e88d50a168e0772c6e8fee0882f05cd1d48fb56c053612dd0e4a2b23ec3190993409e98678ff40caca5c2a080ebf24ed71e0b26ea1c7cbe8bad8999f6ebb3d38

Download Submit
C:\Windows\SysWOW64\Ochamg32.exe

Filesize
144KB

MD5
88fa8d5d9863fea0c64d52ec21218af9

SHA1
6fce51376d0e5e0985417bd033d2e5c4f6ad6c6c

SHA256
7f8b7de857ce9ed7b8806974437899d4364491224b22920036d419653345c542

SHA512
39f36e5bbb5e5f7a18fe3c036a39ca391940b3735afc0250a779f85f4f59ec18594e1b30aefb5eaa0f1045a611e0bea36171637a4f057fa935f491e00c9e0083

Download Submit
C:\Windows\SysWOW64\Odedipge.exe

Filesize
144KB

MD5
f7b426b8dbe0ffc8777869df680fb260

SHA1
0fe17e6b0e5727744e331c0e5d011492706410c6

SHA256
ddefdf5a58991ad37c3ae5346e1fa0d06fb15e7604e3ae9d628e821bb0f9b7ff

SHA512
601822d82af23792fcc2e8678da2ba6b90569b0e909d5feb1c7cbb8ebd9b501bf69dc039c90f3fce273c10a25263a9a229137c0e8f1c4fd20d3fd770fa8d1be0

Download Submit
C:\Windows\SysWOW64\Odjmdocp.exe

Filesize
144KB

MD5
3569ed0c25d7db631b1e820a77d5fe61

SHA1
dd292c1125c411cfe3c2bc906b7fd0a3c1f1750e

SHA256
9ec09487caa318b49fd5a641005ac8e4ece4273f95e2940d95552c39725fbca4

SHA512
1adacb05b9da9d51ce2c011af8daab8e8bd1195fe44b8cca3a23b1e7f902817dc9b5cc28dfbcfda8c1761120c109caf2a329bae8c3d3924a00be070308cbde16

Download Submit
C:\Windows\SysWOW64\Oflfdbip.exe

Filesize
144KB

MD5
402964b78a6b072c374eb58654eae3ed

SHA1
9d0a9e1c074b55d058eee1e4f925888736305e55

SHA256
196e1def51a8f892c2f341e107b57e8f69874d453a5c7f5c3bf03cfa1248cedb

SHA512
098506061c3eb73df0d72b8ab6167f839b9f591b15dccc9f9743eb2f78760363dc38505086251c7e2f4dfed891b1f97bc4b1e0d77cba2ee3cdee51d72260c5f9

Download Submit
C:\Windows\SysWOW64\Ohcmpn32.exe

Filesize
144KB

MD5
18ce950c650830ba17f27747033307ec

SHA1
7e2ea9665b8b9e1b19eae29082d6396d086c12f7

SHA256
9639ad2e11b5ebb6cbce00cb4b08bab171e477756d8e487d5e14e863cacdd5bb

SHA512
31f58cc8622809318321a35d53676dd3d8a7f1ec08c1c5a9b4df8b510f035662c702a77df401bd1cf0bf9528918beb8584e92dbf4e7b89d4f51646c49a949e6a

Download Submit
C:\Windows\SysWOW64\Ohhfknjf.exe

Filesize
144KB

MD5
2eb78c4921873ff9ff5dc9d21e746113

SHA1
e646679bf1e93db0c25d89967b8e30aa2181ffb4

SHA256
e4cca194365d326be0f97c5b2370efa0fdfc4e6f86f67681be111b9f3f03e8c6

SHA512
e23b1386659c3d94c5e27839f65df97268260efa35ee0bb91056bf6ca13935ba317d186baa6a318560f0852573701693ef8c5f376a288d70612c4279a4a2d2f0

Download Submit
C:\Windows\SysWOW64\Okfbgiij.exe

Filesize
144KB

MD5
a6f815d1cdf2aa253db9af61b51e53a3

SHA1
047a647d91badf44a05bb2f29838af2909c30714

SHA256
0acebea723c6cba2752cf533a5286c70117a1ee2c5ede9c86d3e77b02bd6d819

SHA512
1636cdf592f05f5fd5db12d36bd674819eda3993162f06f02c5ba504248e25eb4972eed80b3a5de685cc4acec78b3a579a087ab3826903b849126b3d771e96d2

Download Submit
C:\Windows\SysWOW64\Oljoen32.exe

Filesize
144KB

MD5
6cc3cd453c65f6e0f8860451d557bed4

SHA1
e46c6ca60b73d956f1ec9d09be4c41637f92da22

SHA256
f001eda1d7f9a02c8084c1926eefc0e144b716bb071fee3af6a55a7a34f39e92

SHA512
d519c3174be46f536e83c0525cba617ea759655c16597b3ed45f8b20ecde7972f059e4de6b214b7513d82996a98d5729336796c703f7c99400e1277d035c8fbb

Download Submit
C:\Windows\SysWOW64\Ollljmhg.exe

Filesize
144KB

MD5
36580ba1b6fb97f8d9104f0bf6c34500

SHA1
d3ad69983db554de28ecc50cea7a4ee7fa3c5fc5

SHA256
e2edff92d18983ec6c997944105a4c521e260621a587929b11d415ffd8f40773

SHA512
6f4dc48faef18540b64751597eebcba6e7dbdb9ed28303fcb3f6e70b59ff975f6032b4a5937b32185a282088690fd0f1a9540ae3581097b68e59f83ae1c01cd7

Download Submit
C:\Windows\SysWOW64\Oooaah32.exe

Filesize
144KB

MD5
b7f2290348f8fa353372125e3e54bb4e

SHA1
2cedfe03117575f480275082d27a1afd4d5a0a84

SHA256
d4c5964394c6093a13f324bb52f05f7aee2348d5f19d72a3180b81f723a14f24

SHA512
5559b44fb608ba7ee4cd4ca24d9405829c7e9a1e6300410a0b226e45b5a7059d1f9106a7c350b2949ee37419466a5db7fac49d4b6d508feb0a3582392b0c9174

Download Submit
C:\Windows\SysWOW64\Pbbgicnd.exe

Filesize
144KB

MD5
dee6ae8e937af74d57c93032d4d6c340

SHA1
c861cc23f53929350e7a4a43a4cd5fba33216caa

SHA256
1fa09e85d9d2ab2cce8f55ea9a79a4a1faa38faef7630c6a54c6136a1d016a64

SHA512
8a533f1923d236e3a49bfd77f0696164f756b0660b00bdabb58a5f1b5dc86082e9b1759018622945dc130420bde16a5c563ebae3361892144fd6ad3b9eae49cb

Download Submit
C:\Windows\SysWOW64\Pbddobla.exe

Filesize
144KB

MD5
8b10dc30431798cf4d797713b6f6882a

SHA1
39b08844abed65711a5f1bed38df8c4b261d2a0e

SHA256
779506c2030abf91cda5ae83ac4454df7314646a263e0b7f30c92918088688c0

SHA512
c44dcb6f9f2aacd0f6f6ee7d0b1032e7abb88e0241af9201ee4e0e3be674ca86596b7af2e7306de863ed365d969ee706823be4db13266beaca20a2a7c88d8e48

Download Submit
C:\Windows\SysWOW64\Pkholi32.exe

Filesize
144KB

MD5
6398c10d0d1e64297037c80068beed19

SHA1
5d1fdb5265ebdf34eb5480a3549b39856f1cadc7

SHA256
08b55798078819536ec4733f21fb4955183aa9460becbff98c872668e194eb21

SHA512
6bbe22775f472edcd444ebaed24ad106843bccd3adbd73ac7bf95771bfa98df7bcd3eb6784bb7e30b034365d2a0c68c9f66ec84f177101e5fb130b44ecc452ab

Download Submit
C:\Windows\SysWOW64\Pmhkflnj.exe

Filesize
144KB

MD5
bfd00019ef88a2da05a6336371f81432

SHA1
c791a5457e541c689b9b02990840622ba845fb03

SHA256
4f3d26523e6d2954a2dba2cf67ca275ea4429d8843d69f6b8c8fa0bab4636484

SHA512
6a0071331bd182c3a14cb2fbe3e2c7ad8854f0df5251ae4bc5a71c271198c3454c264296be8b7cda594667bcbaec1f245be4e1ccea867f24bd09577e3c234162

Download Submit
C:\Windows\SysWOW64\Pmjhlklg.exe

Filesize
144KB

MD5
5d6cc6bd8f61506fc70924ed37bf2d6a

SHA1
f65cde019a92ecbad2b1eece75b1ca316fac69d8

SHA256
acc9da6e262cad5a53b35b0f8a7b4437b341bdf926d225f9fda2f3722bf916db

SHA512
c2b94107c85a40c914f63858596afca338a017b05803c285bb0720bc2d76d52420cc1cbf9fe68dca2f4e3aa2ce232fff1505bf35f232670b646ea668e15e71a8

Download Submit
C:\Windows\SysWOW64\Qcncodki.exe

Filesize
144KB

MD5
c5a4063a6322d74975eb1cd3117f41da

SHA1
f75a07ab2da490fea1cc7a19632a0c22afcc4553

SHA256
a471fa67297f23469393c46e50832ff798a5862fc9522cdbd4f023d4abdb346a

SHA512
31505b9ff82b98e0a055fd36aace10579de7ab18043115bcd28e648e9195a8a998348be52c4039abebdb116ba6df17c4eef83773f9d01097ad1716cfe8d92195

Download Submit
C:\Windows\SysWOW64\Qmanljfo.exe

Filesize
144KB

MD5
d5622d00181618309aa93f76ad7c023f

SHA1
d4e193e4d013df4a7cec55be0f097ef7ead85e88

SHA256
7eb8f2a0bf6afde6099784212ef48940f88ed7a98cd8f8977fb4cc67d1c8ca4f

SHA512
15e989d0ae50d94e30372ca393ebe614272d6e60fa84c7acf4bd26004cbe415f21e919a213f5c69629082f28a3df5e7104edc93cca6e6fbd6517c59e989bd65d

Download Submit
memory/64-579-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/64-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/184-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/312-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/348-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/408-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/468-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/676-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/920-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/928-588-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/928-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/980-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1132-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1316-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1480-544-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1480-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1504-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1576-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1588-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1600-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1684-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2244-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2288-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2324-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2364-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2448-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2588-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2588-586-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2664-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2704-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2720-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2764-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2832-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2860-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2860-565-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2872-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3040-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3068-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3088-558-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3088-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3220-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3280-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3324-551-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3324-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3328-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3564-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3596-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3620-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3660-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3732-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3736-139-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3796-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3940-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3952-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3952-572-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3976-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4052-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4104-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4220-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4340-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4392-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4436-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4440-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4596-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4704-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4788-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4828-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4864-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4884-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4900-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4904-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4960-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4964-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5012-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5140-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5180-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5220-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5260-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5304-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5344-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5384-496-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5424-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5464-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5504-514-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5544-520-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5584-526-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5624-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5664-538-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5704-545-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5748-552-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5792-559-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5836-566-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5880-573-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5924-580-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5968-587-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5968-589-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads