92c7d54c3e477f28a2ace599dd30ee152dd5cb73e82893ba2b18e85a77766b1b

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6190988fc5877ab54f34426310c3090N.exe
Size

1.9MB
MD5

d6190988fc5877ab54f34426310c3090
SHA1

240a99fde437a3c45cd21082f0c6d5f7c70cafc6
SHA256

92c7d54c3e477f28a2ace599dd30ee152dd5cb73e82893ba2b18e85a77766b1b
SHA512

27db41e613d74bcddb22ed0f9835836435b729c935d5f8f789a8743c1dcf88730544570abf5d4b18d5915b5bd3bf9d2013f6046b23484a7295788adc977d57fa
SSDEEP

24576:bXvaNIVyeNIVy2jUKaNIVyeNIVy2jUtc9uO2NIVyeNIVy2jUKaNIVyeNIVy2jUO:jVyj1yj3uOpyj1yjH

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d6190988fc5877ab54f34426310c3090N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbimjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mafofggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mafofggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohncdobq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcidopb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohqpjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjdki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Podkmgop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ooangh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfiagd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohqpjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlqloo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oohkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfjcep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Memalfcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mddkbbfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oloipmfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Madbagif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfpghccm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfncia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medglemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlqloo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oohkai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlefjnno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlgbon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Podkmgop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofdqcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qejfkmem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkjjdmaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medglemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfknmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nofoki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obpkcc32.exe

Executes dropped EXE 63 IoCs

pid	Process
2460	Memalfcb.exe
4572	Mkjjdmaj.exe
4740	Madbagif.exe
1908	Mdbnmbhj.exe
3008	Mklfjm32.exe
4808	Mafofggd.exe
2120	Mddkbbfg.exe
3884	Mojopk32.exe
3120	Medglemj.exe
4440	Nlnpio32.exe
1172	Nakhaf32.exe
2692	Nlqloo32.exe
3172	Ncjdki32.exe
4804	Nfiagd32.exe
3160	Nlcidopb.exe
5028	Ncmaai32.exe
2456	Nfknmd32.exe
3456	Nlefjnno.exe
1396	Nocbfjmc.exe
2216	Ndpjnq32.exe
3192	Nlgbon32.exe
2748	Nofoki32.exe
4264	Nfpghccm.exe
1432	Ohncdobq.exe
4536	Oohkai32.exe
1916	Obfhmd32.exe
4836	Ohqpjo32.exe
4160	Ookhfigk.exe
4712	Ofdqcc32.exe
4760	Oloipmfd.exe
2224	Ochamg32.exe
5108	Ofgmib32.exe
3688	Omaeem32.exe
2432	Ocknbglo.exe
3992	Odljjo32.exe
464	Ooangh32.exe
2612	Obpkcc32.exe
1484	Pijcpmhc.exe
1592	Podkmgop.exe
2584	Pfncia32.exe
2184	Pmhkflnj.exe
1376	Pcbdcf32.exe
3380	Pecpknke.exe
3060	Pmjhlklg.exe
5056	Pcdqhecd.exe
5160	Peempn32.exe
5200	Pmmeak32.exe
5240	Pokanf32.exe
5280	Pbimjb32.exe
5320	Piceflpi.exe
5360	Pkabbgol.exe
5400	Pcijce32.exe
5440	Qejfkmem.exe
5480	Qmanljfo.exe
5520	Qppkhfec.exe
5560	Qfjcep32.exe
5600	Qmckbjdl.exe
5640	Qcncodki.exe
5680	Aflpkpjm.exe
5720	Amfhgj32.exe
5760	Apddce32.exe
5800	Afnlpohj.exe
5840	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nlnpio32.exe	Medglemj.exe
File created	C:\Windows\SysWOW64\Ipiddlhk.dll	Nlnpio32.exe
File opened for modification	C:\Windows\SysWOW64\Nfiagd32.exe	Ncjdki32.exe
File created	C:\Windows\SysWOW64\Ndpjnq32.exe	Nocbfjmc.exe
File created	C:\Windows\SysWOW64\Ochamg32.exe	Oloipmfd.exe
File created	C:\Windows\SysWOW64\Oenlmopg.dll	Odljjo32.exe
File opened for modification	C:\Windows\SysWOW64\Obpkcc32.exe	Ooangh32.exe
File created	C:\Windows\SysWOW64\Podkmgop.exe	Pijcpmhc.exe
File opened for modification	C:\Windows\SysWOW64\Pbimjb32.exe	Pokanf32.exe
File created	C:\Windows\SysWOW64\Lgilmo32.dll	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Bhejfl32.dll	Mddkbbfg.exe
File created	C:\Windows\SysWOW64\Nlqloo32.exe	Nakhaf32.exe
File created	C:\Windows\SysWOW64\Naapmhbn.dll	Nfknmd32.exe
File created	C:\Windows\SysWOW64\Ghnkilod.dll	Ooangh32.exe
File created	C:\Windows\SysWOW64\Peempn32.exe	Pcdqhecd.exe
File created	C:\Windows\SysWOW64\Pnnggcqk.dll	Pokanf32.exe
File opened for modification	C:\Windows\SysWOW64\Qppkhfec.exe	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Ofgmib32.exe	Ochamg32.exe
File opened for modification	C:\Windows\SysWOW64\Ocknbglo.exe	Omaeem32.exe
File opened for modification	C:\Windows\SysWOW64\Podkmgop.exe	Pijcpmhc.exe
File opened for modification	C:\Windows\SysWOW64\Pmjhlklg.exe	Pecpknke.exe
File created	C:\Windows\SysWOW64\Pcdqhecd.exe	Pmjhlklg.exe
File created	C:\Windows\SysWOW64\Pokanf32.exe	Pmmeak32.exe
File created	C:\Windows\SysWOW64\Afnlpohj.exe	Apddce32.exe
File opened for modification	C:\Windows\SysWOW64\Afnlpohj.exe	Apddce32.exe
File created	C:\Windows\SysWOW64\Memalfcb.exe	d6190988fc5877ab54f34426310c3090N.exe
File opened for modification	C:\Windows\SysWOW64\Madbagif.exe	Mkjjdmaj.exe
File created	C:\Windows\SysWOW64\Jjonchmn.dll	Nlqloo32.exe
File opened for modification	C:\Windows\SysWOW64\Nfpghccm.exe	Nofoki32.exe
File opened for modification	C:\Windows\SysWOW64\Ofgmib32.exe	Ochamg32.exe
File created	C:\Windows\SysWOW64\Dlqgpnjq.dll	Pfncia32.exe
File created	C:\Windows\SysWOW64\Qppkhfec.exe	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Gckjdhni.dll	Aflpkpjm.exe
File created	C:\Windows\SysWOW64\Cifiamoa.dll	Mafofggd.exe
File opened for modification	C:\Windows\SysWOW64\Nlnpio32.exe	Medglemj.exe
File created	C:\Windows\SysWOW64\Ncjdki32.exe	Nlqloo32.exe
File created	C:\Windows\SysWOW64\Nlgbon32.exe	Ndpjnq32.exe
File opened for modification	C:\Windows\SysWOW64\Oohkai32.exe	Ohncdobq.exe
File created	C:\Windows\SysWOW64\Odljjo32.exe	Ocknbglo.exe
File opened for modification	C:\Windows\SysWOW64\Pmhkflnj.exe	Pfncia32.exe
File created	C:\Windows\SysWOW64\Amfhgj32.exe	Aflpkpjm.exe
File created	C:\Windows\SysWOW64\Mdbnmbhj.exe	Madbagif.exe
File opened for modification	C:\Windows\SysWOW64\Ohncdobq.exe	Nfpghccm.exe
File opened for modification	C:\Windows\SysWOW64\Pcijce32.exe	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Mkjjdmaj.exe	Memalfcb.exe
File opened for modification	C:\Windows\SysWOW64\Mafofggd.exe	Mklfjm32.exe
File created	C:\Windows\SysWOW64\Kefjdppe.dll	Mklfjm32.exe
File created	C:\Windows\SysWOW64\Nakhaf32.exe	Nlnpio32.exe
File opened for modification	C:\Windows\SysWOW64\Ndpjnq32.exe	Nocbfjmc.exe
File created	C:\Windows\SysWOW64\Aofbkbfe.dll	Podkmgop.exe
File created	C:\Windows\SysWOW64\Pcbdcf32.exe	Pmhkflnj.exe
File created	C:\Windows\SysWOW64\Pmmeak32.exe	Peempn32.exe
File opened for modification	C:\Windows\SysWOW64\Ncmaai32.exe	Nlcidopb.exe
File opened for modification	C:\Windows\SysWOW64\Nlefjnno.exe	Nfknmd32.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeak32.exe	Peempn32.exe
File created	C:\Windows\SysWOW64\Mkjjdmaj.exe	Memalfcb.exe
File created	C:\Windows\SysWOW64\Mddkbbfg.exe	Mafofggd.exe
File created	C:\Windows\SysWOW64\Ofdqcc32.exe	Ookhfigk.exe
File opened for modification	C:\Windows\SysWOW64\Oloipmfd.exe	Ofdqcc32.exe
File created	C:\Windows\SysWOW64\Nnmmnbnl.dll	Omaeem32.exe
File opened for modification	C:\Windows\SysWOW64\Odljjo32.exe	Ocknbglo.exe
File created	C:\Windows\SysWOW64\Cieonn32.dll	Pmhkflnj.exe
File created	C:\Windows\SysWOW64\Nfiagd32.exe	Ncjdki32.exe
File created	C:\Windows\SysWOW64\Jdaaqg32.dll	Ofgmib32.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpjnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oohkai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkhfec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Memalfcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhkflnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcidopb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlgbon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oloipmfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefjnno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mklfjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmaai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcncodki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6190988fc5877ab54f34426310c3090N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mafofggd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnpio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peempn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbimjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkjjdmaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ochamg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qejfkmem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omaeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podkmgop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdbnmbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfiagd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madbagif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofoki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medglemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obfhmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookhfigk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjcep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfpghccm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooangh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijcpmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfncia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piceflpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjdki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odljjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecpknke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohncdobq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocknbglo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjhlklg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlqloo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obpkcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqhecd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mddkbbfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfknmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nocbfjmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohqpjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nakhaf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Medglemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlgbon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohqpjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opepqban.dll"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apddce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conkjj32.dll"	Ndpjnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpdnm32.dll"	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ooangh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkamckh.dll"	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mafofggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmhc32.dll"	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oloipmfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnegipj.dll"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcdqhecd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipjam32.dll"	Nfpghccm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnkilod.dll"	Ooangh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhinoa32.dll"	Qppkhfec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdbnmbhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfiagd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdojoeki.dll"	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqpqlhmf.dll"	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenflo32.dll"	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Memalfcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebggf32.dll"	Nofoki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgilmo32.dll"	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daphho32.dll"	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqgpnjq.dll"	Pfncia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdaaqg32.dll"	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfncia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mklfjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mafofggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncmaai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfppnk32.dll"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldqdebb.dll"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpkdlkd.dll"	Obpkcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckjdhni.dll"	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d6190988fc5877ab54f34426310c3090N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngihj32.dll"	Mkjjdmaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgedpmpf.dll"	Ncmaai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlefjnno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Afnlpohj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2460	2616	d6190988fc5877ab54f34426310c3090N.exe	90
PID 2616 wrote to memory of 2460	2616	d6190988fc5877ab54f34426310c3090N.exe	90
PID 2616 wrote to memory of 2460	2616	d6190988fc5877ab54f34426310c3090N.exe	90
PID 2460 wrote to memory of 4572	2460	Memalfcb.exe	91
PID 2460 wrote to memory of 4572	2460	Memalfcb.exe	91
PID 2460 wrote to memory of 4572	2460	Memalfcb.exe	91
PID 4572 wrote to memory of 4740	4572	Mkjjdmaj.exe	92
PID 4572 wrote to memory of 4740	4572	Mkjjdmaj.exe	92
PID 4572 wrote to memory of 4740	4572	Mkjjdmaj.exe	92
PID 4740 wrote to memory of 1908	4740	Madbagif.exe	93
PID 4740 wrote to memory of 1908	4740	Madbagif.exe	93
PID 4740 wrote to memory of 1908	4740	Madbagif.exe	93
PID 1908 wrote to memory of 3008	1908	Mdbnmbhj.exe	94
PID 1908 wrote to memory of 3008	1908	Mdbnmbhj.exe	94
PID 1908 wrote to memory of 3008	1908	Mdbnmbhj.exe	94
PID 3008 wrote to memory of 4808	3008	Mklfjm32.exe	95
PID 3008 wrote to memory of 4808	3008	Mklfjm32.exe	95
PID 3008 wrote to memory of 4808	3008	Mklfjm32.exe	95
PID 4808 wrote to memory of 2120	4808	Mafofggd.exe	96
PID 4808 wrote to memory of 2120	4808	Mafofggd.exe	96
PID 4808 wrote to memory of 2120	4808	Mafofggd.exe	96
PID 2120 wrote to memory of 3884	2120	Mddkbbfg.exe	97
PID 2120 wrote to memory of 3884	2120	Mddkbbfg.exe	97
PID 2120 wrote to memory of 3884	2120	Mddkbbfg.exe	97
PID 3884 wrote to memory of 3120	3884	Mojopk32.exe	98
PID 3884 wrote to memory of 3120	3884	Mojopk32.exe	98
PID 3884 wrote to memory of 3120	3884	Mojopk32.exe	98
PID 3120 wrote to memory of 4440	3120	Medglemj.exe	99
PID 3120 wrote to memory of 4440	3120	Medglemj.exe	99
PID 3120 wrote to memory of 4440	3120	Medglemj.exe	99
PID 4440 wrote to memory of 1172	4440	Nlnpio32.exe	100
PID 4440 wrote to memory of 1172	4440	Nlnpio32.exe	100
PID 4440 wrote to memory of 1172	4440	Nlnpio32.exe	100
PID 1172 wrote to memory of 2692	1172	Nakhaf32.exe	101
PID 1172 wrote to memory of 2692	1172	Nakhaf32.exe	101
PID 1172 wrote to memory of 2692	1172	Nakhaf32.exe	101
PID 2692 wrote to memory of 3172	2692	Nlqloo32.exe	102
PID 2692 wrote to memory of 3172	2692	Nlqloo32.exe	102
PID 2692 wrote to memory of 3172	2692	Nlqloo32.exe	102
PID 3172 wrote to memory of 4804	3172	Ncjdki32.exe	103
PID 3172 wrote to memory of 4804	3172	Ncjdki32.exe	103
PID 3172 wrote to memory of 4804	3172	Ncjdki32.exe	103
PID 4804 wrote to memory of 3160	4804	Nfiagd32.exe	104
PID 4804 wrote to memory of 3160	4804	Nfiagd32.exe	104
PID 4804 wrote to memory of 3160	4804	Nfiagd32.exe	104
PID 3160 wrote to memory of 5028	3160	Nlcidopb.exe	105
PID 3160 wrote to memory of 5028	3160	Nlcidopb.exe	105
PID 3160 wrote to memory of 5028	3160	Nlcidopb.exe	105
PID 5028 wrote to memory of 2456	5028	Ncmaai32.exe	106
PID 5028 wrote to memory of 2456	5028	Ncmaai32.exe	106
PID 5028 wrote to memory of 2456	5028	Ncmaai32.exe	106
PID 2456 wrote to memory of 3456	2456	Nfknmd32.exe	107
PID 2456 wrote to memory of 3456	2456	Nfknmd32.exe	107
PID 2456 wrote to memory of 3456	2456	Nfknmd32.exe	107
PID 3456 wrote to memory of 1396	3456	Nlefjnno.exe	108
PID 3456 wrote to memory of 1396	3456	Nlefjnno.exe	108
PID 3456 wrote to memory of 1396	3456	Nlefjnno.exe	108
PID 1396 wrote to memory of 2216	1396	Nocbfjmc.exe	109
PID 1396 wrote to memory of 2216	1396	Nocbfjmc.exe	109
PID 1396 wrote to memory of 2216	1396	Nocbfjmc.exe	109
PID 2216 wrote to memory of 3192	2216	Ndpjnq32.exe	110
PID 2216 wrote to memory of 3192	2216	Ndpjnq32.exe	110
PID 2216 wrote to memory of 3192	2216	Ndpjnq32.exe	110
PID 3192 wrote to memory of 2748	3192	Nlgbon32.exe	111

C:\Users\Admin\AppData\Local\Temp\d6190988fc5877ab54f34426310c3090N.exe
"C:\Users\Admin\AppData\Local\Temp\d6190988fc5877ab54f34426310c3090N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\SysWOW64\Memalfcb.exe
  C:\Windows\system32\Memalfcb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\Mkjjdmaj.exe
    C:\Windows\system32\Mkjjdmaj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\SysWOW64\Madbagif.exe
      C:\Windows\system32\Madbagif.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Nlefjnno.exe
        
        C:\Windows\system32\Nlefjnno.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4080,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:8
1⤵
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Madbagif.exe

Filesize
1.9MB

MD5
b1736fa79f38026ce1d772b1d9e7af4a

SHA1
e3ea268eaa8faa9ca475ad117e9f5e124daed0c5

SHA256
66bf129874ea5aa2bf85f8ef06178b21d86370a5d4e4baeda032faac2a59dc2d

SHA512
418b9b9aa3486a50e40376be0642c23de575af02191c2b3d5fc76be709597ac78780c7456c67ec54283892569e878c79f3ec7b6fa7ee747fb3113cb30a8225fc

Download Submit
C:\Windows\SysWOW64\Mafofggd.exe

Filesize
1.9MB

MD5
edafeb63127680c5afa095f5958502a9

SHA1
1c7b44ab4044b6a2973d5a6f739c47316b75fb73

SHA256
753c336b1bed26dee2e38947f3a70087d8826a12e647ff82fa628d7528e6f775

SHA512
a0cc2490aecbb1f31d65281e152243953c19a2f271a6a19f2ddc8357f4dca8cc6acc5f5e7982c871931d1e31190cc91c1e0d0cf2e1424cd80bf589ac34e43645

Download Submit
C:\Windows\SysWOW64\Mdbnmbhj.exe

Filesize
1.9MB

MD5
721fd81bc95e07a08859fbd52c2a4693

SHA1
8f857d694024ad50692883edb00b5c070fd938a0

SHA256
4f955c6aebd9b019efea074187d2c5876a235b80df8a6c2d406aed92062150fb

SHA512
ff2b2c2eb7800c9fbc751a5285c914bf2a0b6005371078a83fa87b7f143d93f9cf9baf44e01ea5ad7711d87f2b218491faf45a5b676826281765040fb46e017f

Download Submit
C:\Windows\SysWOW64\Mddkbbfg.exe

Filesize
1.9MB

MD5
ce72ada9030c590e572afcef5d85a3a3

SHA1
c6dfeebed3c71cb4467ab96fbc8fb58fb2d93c77

SHA256
af88302ee34934d1907eba1f3b7b88846f18625defd809f74473a2cf423aa463

SHA512
145b10199321491799532a07f2a3263e752ed8cc6e97ae6573cc3d91ce255a0c09bb5be47513800f3efa331300d4b12ab07b11847d73403b6a114dc46ac06fc8

Download Submit
C:\Windows\SysWOW64\Medglemj.exe

Filesize
1.9MB

MD5
5a244756138aace6e0a191f14dd55ff1

SHA1
2ee82e17ae012ef7c223cad958274fc8dc2b92da

SHA256
e517fda03f311a813ad96447e7812bdfcd91f84d2c7993fa216969403983585b

SHA512
d186e118bc48b2f5e5a8b1b56f71ca3736a54f45503f8e8fcd4ef5ff29462984f19456c278471b74865eb5040da403b891e9cb382b61e115c067690a3c1877bd

Download Submit
C:\Windows\SysWOW64\Memalfcb.exe

Filesize
1.9MB

MD5
e12b60b8cc630d520e995d1b74eeddf2

SHA1
cc610daaaa07e16d371201e07ad4f83f007d37f3

SHA256
e86a966009a5016bff0a8ea18041d00fec161ff6d13c5bec77de26e2a64c105d

SHA512
0eb8fb3e82142fb01b93ea9be11dd483fc8612b7bdaa33dbc7842bec893304e45a1303b4a77cad5b65979de6638f68868228c459ccf964f0c9b8e4f914e95ff3

Download Submit
C:\Windows\SysWOW64\Mkjjdmaj.exe

Filesize
1.9MB

MD5
c45e67731a0c31f84647b314e15776e7

SHA1
59c8a15a088880a84c57623bd9603cd514132b05

SHA256
75a727a85acbae2da1512a62d76f6d39db917393b37084a9c462fd12d813ab24

SHA512
7125cc6696eec39242c7fff8a0757bfbb57b49beda7112fd5889b973967ea2496d31be1894f5046a93b1f1aed6010ac015ee2310e49a82c3f740c4e0b7ddfff3

Download Submit
C:\Windows\SysWOW64\Mklfjm32.exe

Filesize
1.9MB

MD5
fcff049e1b2bc163f720bbf1b4575e74

SHA1
0dd5d64449e44b0bb9ef1d2fa5950e83c96a81b5

SHA256
9937a04ba7de6bbd9271dd6375909c0ad80fe05fcbe57ae3ab1be3315cecb207

SHA512
93bcf069dfbfa8abb54e271ae260e3b82750de62bdc147890f134def211437b80df6edf03ff29a4704fdcc0dd5ab5346ce3245a9dc4aa3d0864ad5bf1815b357

Download Submit
C:\Windows\SysWOW64\Mojopk32.exe

Filesize
1.9MB

MD5
87714b8fe6c4dc90d5f46b9bd15da079

SHA1
6a749bf39ab077b2326526f200140bfb63337df5

SHA256
5bd4c0615246030e0bb616a49503fee91a0d2f3d93b78fbcb2b2b683cf22ab25

SHA512
1255ca3c501468fb920307553728ea1f2b2564e9c8266b0178e2595bca844689a470a11ab4671e78f21dc828945aee246367f14425b6632700d1da732d0a5fb2

Download Submit
C:\Windows\SysWOW64\Nakhaf32.exe

Filesize
1.9MB

MD5
c310beaff8e2b2d30830d5250e4c4c0f

SHA1
99b321eda3f18a33e21c336e81ae2b57d74b6311

SHA256
064a9babfd11a94c7572d2fdeee8475190794acd0df275dcdc8f18849f6a2551

SHA512
dfd2f1190e5d01b93eeedc5d292cf9322b850016d14b3de04cb286053dff5fe76a243627132120f6352e7f6847c5b07809fd46ff929a15f6525105d66ac84ca3

Download Submit
C:\Windows\SysWOW64\Ncjdki32.exe

Filesize
1.9MB

MD5
932e64b627b52b107c7f17adab5aac83

SHA1
633b7d8355849ffc1de9fb1659c708aad00c2726

SHA256
7fc0fc786b2fe562d61fd82831754323825e280d7994efafdb22114747cec858

SHA512
2117136317fb601b38d57476532ffde866d3a75314225326bae3cb156054e6d4d17ff2f1de7ec74d908e0ea3d4b089f60333e8e985c0489e61f690e595469f15

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
1.9MB

MD5
87a8d8978265f207ef3e0ab4a5980011

SHA1
a7ade8c2591815b23a6ce5a420a02cbc72583bcf

SHA256
ba950e37819d7ed09b5766d788e9029d8a6e305aac3951babe0cc511144f6bf8

SHA512
db2175b8a739314dff01c9fe785a084b74f626860cc0eb2b90b39e4f23585bb06ef8c8d083230a07bde57071bc68207012dc4fa40cef0df7fcdeb09fa9e80fe0

Download Submit
C:\Windows\SysWOW64\Ndpjnq32.exe

Filesize
1.9MB

MD5
6583adc639ba76912b453e62246f3806

SHA1
3fac9715e6c49bea60726a463c425872f03ab640

SHA256
f3e28f0c598a1311e3798677f37538f3314e5dfcb8b18f040bd6b95db1c69f3b

SHA512
e4bb6ce26799966f70f20843ee118a85a4751ac49406e441a87adcb6957edb1d6dd5a565cb8a883fb610e532b7aea3de6dcfa7817d8b3b5565fd0a9e3a98c932

Download Submit
C:\Windows\SysWOW64\Nfiagd32.exe

Filesize
1.9MB

MD5
4cfdbdff50cc1d228adcbd3e2acbc53a

SHA1
b4bb366d8e714c0c93faab2bf2e33e862db79ef3

SHA256
77d68ecb78c3ff0a2da323b88cee7eea9b4b1797b9948086e01f77c17095e313

SHA512
762af09ca42284a5efffadbbfb5ce1abbe39e9210e51f71f336544f84c3da3e45b8b6be2527ec891a70c4b6c18673006978da273d98cc9a43ffc4cb865a402d0

Download Submit
C:\Windows\SysWOW64\Nfknmd32.exe

Filesize
1.9MB

MD5
d0b68b82df7406450e3a411494d11728

SHA1
f58bff581c57c57f776f5bb847dfeeaefb902003

SHA256
48868efe3cd4e19ecf15e848553f856917f3f2007b524acc0fdb17eb6bfea13c

SHA512
6f78ddce1e6dc5c93b618f681c95335e830089b0fe08ddee5f3fa2edeac7b735446d55850038714d6967bbf36ac929778ae1b688b2cd99de21792ab7d55f4801

Download Submit
C:\Windows\SysWOW64\Nfpghccm.exe

Filesize
1.9MB

MD5
456750675eb8307d406d9de5d7463838

SHA1
fbb0343ff09d238ceb6978e9780d3e1796b00980

SHA256
ee45ddc9c73b1cad784f11e5f73a67b6ed4677821efb195b033044aae6454d4c

SHA512
9041929eed5995402f8077b3a68255890b6fed4857a7d10d83f32b6bc012911a6903043e631083e3177f54ceebd1869835e35a30cbaaa2b70ab09401843d9602

Download Submit
C:\Windows\SysWOW64\Nlcidopb.exe

Filesize
1.9MB

MD5
b301446c6f2966ee755c32befa642768

SHA1
60edc73203241c705efad63971ab628e1ab16838

SHA256
44061538eb1b034494d1c777cef9e6d6dd5720f56cce1b3f19f1e48da4fea055

SHA512
b6b659bf8bbc2cd81c6a5ca2ddfd275cdd102052c36967ed5f22a29aa746c89c1ce3c6c4c2453eebb6ce7cf73a3339729e0383d8d767c3333e3ffe5ed837bb95

Download Submit
C:\Windows\SysWOW64\Nlefjnno.exe

Filesize
1.9MB

MD5
68861262a545fc666a52e773dafe888b

SHA1
cba44ffd5a9b5a2cc2cdd34ff0f935c7d80905e2

SHA256
e0e69830b5a8178e0c419c150d06b9ff9ab21a6262018ac7c86bb836677397b6

SHA512
7e493b22f6c46858de656832e16cfc242ee20677ef7420fedbefedd9a0e819e2a3821a0e2ba998f22ccda04f2a94ed871b2c3f17727b3db5620ed3603d62526e

Download Submit
C:\Windows\SysWOW64\Nlgbon32.exe

Filesize
1.9MB

MD5
8121b5e5fd6d232d0f638138d8cd664d

SHA1
292139dac87a5c3225c1dbd42edb005dd39cb994

SHA256
4e03df3117182ccb5cecc778b4eda393a66e9b08ee716a2cb2461c0deb7add62

SHA512
a1aef33875c5c7d90f6226834283b641f6364922a676a91b4b1d9b9b02d30bc572e991f710930435c114fdb69331ec7f5cd1af9d7e4633511977baba97a86b00

Download Submit
C:\Windows\SysWOW64\Nlnpio32.exe

Filesize
1.9MB

MD5
fb4d0a6387226a90c245732def04f7cf

SHA1
f449dcefb266957a288d225c1c18569178459809

SHA256
268083e4f2299b6537347bd18a1ae2b3300d61b455542e333bb1926c1289f605

SHA512
b419aebe9ca844f3dae2357f1fd5d0bccdfd7464a2cd710128bb122c8905c06bd994d1d6e0f2abcb6ed126bdf26a04c2f585e4b9cb6415acea74107305a68b1d

Download Submit
C:\Windows\SysWOW64\Nlqloo32.exe

Filesize
1.9MB

MD5
12b1562550b827e8ceafcd718fc5fe73

SHA1
f7f3e91158039b9d59d633dabe08c65341ebf365

SHA256
076ea4f0b49c6d69fea37f0caf4594b50bc47585f88b36e38938b078733d3ed5

SHA512
6229e9fb9bfdffddcfdcad05cc62bd6026d2d0587c82d9809889bfae3c3299e87a72263397bdca82fda36076857b218615dcc9f5ac320769054240831b6c0c9d

Download Submit
C:\Windows\SysWOW64\Nocbfjmc.exe

Filesize
1.9MB

MD5
c83a12b2e0f1df4b130e8239f20b0235

SHA1
59448b883b789804da884a2fd51246469991c364

SHA256
ae64633064849e9387cde3e3e87c080b36baa9df1eeb799eb7c5cc7959110fc3

SHA512
7e038448c6870383628b90cae26299165e6495901d484afd756d6ec456daf43a846b6e297789153b3a3c8055af70f6fc3ff5e9cacfff4922787dc08b6fb53195

Download Submit
C:\Windows\SysWOW64\Nofoki32.exe

Filesize
1.9MB

MD5
ae18e7ffb529d4bae577a201bb88ecfc

SHA1
bf606a40410795cebf8516c7eb8fd15de2ee13ba

SHA256
936b8df1a331c9a19c022f6b86130e709559a523835eb5cda8a8fcf143fcf30f

SHA512
3b35f699d0b78faccd582aaac06615c08ef45dd54e4cdd7648e0c96bef975cd5cbdd6daafd0fa21aaf9f093a9a89665290b0739fb95a9b682753119ad52b28e9

Download Submit
C:\Windows\SysWOW64\Obfhmd32.exe

Filesize
1.9MB

MD5
3e7784cb335da1ae578c03999787b713

SHA1
3a0b2394389772f649e6f716ef9bf5767ca36653

SHA256
43aa324c3f2dd0f60293d6312c3e95ed67393f9032394ff49a8de12df1b352fc

SHA512
03f13b2c5f43fe64467990e4d11a7f88d424da1ecc912a08e092d3366b5ab0839c9b60e63cdfb7ae09929f63991269e0d85580c0b45999cd0a2c3c96895e7949

Download Submit
C:\Windows\SysWOW64\Ochamg32.exe

Filesize
1.9MB

MD5
a41157d5d07a5c94370ec461f3e3e491

SHA1
0142c00ec07090e8cbc291ffd5e265b536c196c6

SHA256
acdc90bce8437ff0258003cfb216974f8e4757f6442982b31e4f0f1b8d736246

SHA512
685af2efd8b3bd2919aced02163100335424b4a22e82cc6ac9b608b4eb7f2a5befbae88c7844101bfdf5dce8b8069d4ca7cb7ac1de191cfe1f8ce9297103842f

Download Submit
C:\Windows\SysWOW64\Ofdqcc32.exe

Filesize
1.9MB

MD5
437866903c16699436a2409de4b8bb42

SHA1
9f818418ba3621745f9d561aaf711e520019a47d

SHA256
0bf40620dc10f4a6da4684b81972dc69238cc0fa93dcabb5f682b9cf655051d8

SHA512
7c33c3961bd54c5214e1eac39927e5058d442e35b1509f3a7e6e1f568555d9a17fa3ba7184d2fac393b2c28b4bd17820243704cdb3489eeda8da2a4ddaf28aba

Download Submit
C:\Windows\SysWOW64\Ofgmib32.exe

Filesize
1.9MB

MD5
d65509d30216e5668b34cb5157ae7196

SHA1
f9bf56bc039a0212deb219056ed0aee7a222fa0a

SHA256
7976e1cdb0df0f29ca57c4000ac086e2016597741a95429b5c10a115bea20c59

SHA512
f37fec5ecb97894da06fb38e12745a6abad819acc43800dcf1e523553a69fed61b90c2fc1dae8d3110ed098eb0d352bb4a4ab3ef4773471a94f90e28f4f8c89c

Download Submit
C:\Windows\SysWOW64\Ohncdobq.exe

Filesize
1.9MB

MD5
2816aed522de6a1c749317b98dbc4522

SHA1
53af3fa7d7d9289331c41b0a5e9f9351fe764144

SHA256
ba0d73112fc05648422ee97b6a9c2785d9cafcf2ae25379bb92950c3184c7a3f

SHA512
677fe5dedd0e28899823800a8097066c7c7a875da2c7a77bf05ab928ddc66431cab4967b94a916bc7920651967cee7ecd933dfb5ef5dd1f1baf480bc4d3d85bc

Download Submit
C:\Windows\SysWOW64\Ohqpjo32.exe

Filesize
1.9MB

MD5
671fa3caac62c74b56709414bde76a08

SHA1
7d83813f63aa6982daef656deda58f101aa0d4d6

SHA256
6b4a0b2e0ea31ed9153481c380a5b92559c992560cb7902e8127e99822fe9f08

SHA512
4e1c45f580a955bbde7b2d4e0588ce3ba19bb3d7639f03dd5504cb50a11a44b8b89fd6b05fc5425d7d5a8d37996c28717fc4a9425640a0d75c873296acf4cd81

Download Submit
C:\Windows\SysWOW64\Oloipmfd.exe

Filesize
1.9MB

MD5
833f96277cb93163842bff8abff6ad7b

SHA1
5781178003de09996a94c8ef99723501efb0c193

SHA256
3af98133b41cf30d87dd47e17ae1ee450da4382a15a4803060ea2ac6a3dd3e18

SHA512
f2c9e1332db5cb56afde6c13629d569a079b98e0cb4ecf10e9f7ed3476c052058eb6a4de0b5f8f6c437652279053ca091bba08a1a241f2fe432377c017bdff9a

Download Submit
C:\Windows\SysWOW64\Oohkai32.exe

Filesize
1.9MB

MD5
fa9434338d0d43a9792d41e6ab1de733

SHA1
a957fa44a45bfeda909c83f4fdcac8dc232e56c9

SHA256
274f93155eda38c60abdf994a6fd67fb2b0577827693104532b036e55dd97087

SHA512
3c9ddb0f98a60c81b84b3cab301c47d21564cc24280417147e65fcb726d4b3cbe291beb902a7bfe173462d1f9d0e0d7fa3e21a4cf8db2719d949084066417c35

Download Submit
C:\Windows\SysWOW64\Ookhfigk.exe

Filesize
1.9MB

MD5
0c37cf3ef7329806d030ec83288f4967

SHA1
9c84fad556d23f453c45b1f6a5aeb84b91f44f7b

SHA256
ebe083e696e50203f7eeef477f3ce7a58ac07090325f6919ceaaa48d52f03994

SHA512
5ec447eb281dfdb6668905af32e7a9f6f097188a58a2270a12f65edfc82ebf1ee315a43afb7cd8eb404be632e5a999e317d8748098c794eb230c63a4830c9f0d

Download Submit
memory/464-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2692-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5160-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5200-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5240-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5280-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5320-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5360-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5400-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5440-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5480-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5520-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5560-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5600-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5640-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5680-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5720-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5760-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5800-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5840-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5840-674-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads