ad2b5926071d9296b569b937b62cbfdaa39799476e489be9858e7c954c8de4bd

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

748f295aad985b50f7a44216dcd43950N.exe
Size

77KB
MD5

748f295aad985b50f7a44216dcd43950
SHA1

42fc9fe0a98631d3e7d8fbb7d975b08ff2f49bfe
SHA256

ad2b5926071d9296b569b937b62cbfdaa39799476e489be9858e7c954c8de4bd
SHA512

b75cc0e0a0db137c87924c2ade70449036d5faf5b4f87f2234f7c60335e3152b7ba3524c250ab584d40cacd4faf9edbb6db7aef0b989f42cba80efda06e0e5a8
SSDEEP

1536:uaDFLH9zrigQeskaiZzgqbkc0o2Ltewfi+TjRC/:ua5L9thThy5kwf1TjY

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afqifo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpefaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Debnjgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dedkogqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhjjip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qppkhfec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afeban32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclppboi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Debnjgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maoifh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlncla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkcmjlio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciiaogon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlqpaafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhnjna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oomelheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbbnbemf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abgjkpll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmfqngcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moefdljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cleqfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkmhgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocmjhfjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkhfek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciknefmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qifbll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qihoak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlqpaafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdqcenmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlemcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maoifh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbgnecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkmhgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aioebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciknefmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcpika32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Albkieqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acgfec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmoncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhjjip32.exe

Executes dropped EXE 64 IoCs

pid	Process
1536	Maoifh32.exe
3536	Mlemcq32.exe
2836	Mkgmoncl.exe
1104	Mdpagc32.exe
4448	Mlgjhp32.exe
2888	Moefdljc.exe
2540	Mhnjna32.exe
1080	Mccokj32.exe
4440	Mebkge32.exe
1172	Mkocol32.exe
4776	Mahklf32.exe
4384	Nlnpio32.exe
1376	Nchhfild.exe
372	Nkcmjlio.exe
2004	Nfiagd32.exe
1608	Nkeipk32.exe
3616	Napameoi.exe
832	Nhjjip32.exe
1268	Nlefjnno.exe
2812	Nkhfek32.exe
2008	Nbbnbemf.exe
5024	Nkjckkcg.exe
4128	Nfpghccm.exe
1592	Okmpqjad.exe
2992	Obfhmd32.exe
2352	Odedipge.exe
184	Ollljmhg.exe
3780	Ookhfigk.exe
1644	Ofdqcc32.exe
5108	Ohcmpn32.exe
3380	Oomelheh.exe
2020	Okceaikl.exe
2784	Obnnnc32.exe
4400	Odljjo32.exe
1464	Okfbgiij.exe
2172	Ocmjhfjl.exe
452	Pijcpmhc.exe
4764	Pbbgicnd.exe
1048	Pdqcenmg.exe
4560	Pkklbh32.exe
4044	Pbddobla.exe
2952	Pecpknke.exe
32	Pkmhgh32.exe
3180	Pbgqdb32.exe
4908	Peempn32.exe
2252	Pkoemhao.exe
2960	Pcfmneaa.exe
4420	Piceflpi.exe
3192	Pkabbgol.exe
5080	Pcijce32.exe
2160	Qifbll32.exe
632	Qppkhfec.exe
1776	Qbngeadf.exe
3372	Qihoak32.exe
4640	Qpbgnecp.exe
1372	Aflpkpjm.exe
464	Amfhgj32.exe
4532	Apddce32.exe
4904	Afnlpohj.exe
4860	Aimhmkgn.exe
2772	Apgqie32.exe
2216	Afqifo32.exe
4952	Aioebj32.exe
4120	Apimodmh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Okceaikl.exe	Oomelheh.exe
File opened for modification	C:\Windows\SysWOW64\Pbddobla.exe	Pkklbh32.exe
File opened for modification	C:\Windows\SysWOW64\Piceflpi.exe	Pcfmneaa.exe
File created	C:\Windows\SysWOW64\Pbphca32.dll	Qihoak32.exe
File created	C:\Windows\SysWOW64\Alpnde32.exe	Aiabhj32.exe
File created	C:\Windows\SysWOW64\Cdpqko32.dll	Mhnjna32.exe
File opened for modification	C:\Windows\SysWOW64\Nchhfild.exe	Nlnpio32.exe
File created	C:\Windows\SysWOW64\Kkacdofa.dll	Ohcmpn32.exe
File created	C:\Windows\SysWOW64\Cdnelpod.exe	Ciiaogon.exe
File created	C:\Windows\SysWOW64\Dojahakp.dll	Bcpika32.exe
File created	C:\Windows\SysWOW64\Cbmlmmjd.exe	Cpnpqakp.exe
File opened for modification	C:\Windows\SysWOW64\Ciiaogon.exe	Cfjeckpj.exe
File created	C:\Windows\SysWOW64\Abgjkpll.exe	Apimodmh.exe
File created	C:\Windows\SysWOW64\Ggiipk32.dll	Ciiaogon.exe
File created	C:\Windows\SysWOW64\Gjbpbd32.dll	Ollljmhg.exe
File opened for modification	C:\Windows\SysWOW64\Obnnnc32.exe	Okceaikl.exe
File created	C:\Windows\SysWOW64\Iipkfmal.dll	Pkmhgh32.exe
File created	C:\Windows\SysWOW64\Bfjllnnm.exe	Bclppboi.exe
File created	C:\Windows\SysWOW64\Fgpoahbe.dll	Ddekmo32.exe
File created	C:\Windows\SysWOW64\Mkgmoncl.exe	Mlemcq32.exe
File created	C:\Windows\SysWOW64\Aojbfccl.dll	Mccokj32.exe
File opened for modification	C:\Windows\SysWOW64\Qpbgnecp.exe	Qihoak32.exe
File created	C:\Windows\SysWOW64\Bifkcioc.exe	Bfhofnpp.exe
File created	C:\Windows\SysWOW64\Bcpika32.exe	Bmfqngcg.exe
File opened for modification	C:\Windows\SysWOW64\Dlqpaafg.exe	Dibdeegc.exe
File created	C:\Windows\SysWOW64\Nfiagd32.exe	Nkcmjlio.exe
File created	C:\Windows\SysWOW64\Aiaeig32.dll	Odedipge.exe
File created	C:\Windows\SysWOW64\Jcokoo32.dll	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Cbhbbn32.exe	Cdebfago.exe
File created	C:\Windows\SysWOW64\Nfcnnnil.dll	Cpnpqakp.exe
File created	C:\Windows\SysWOW64\Nqbpidem.dll	Dedkogqm.exe
File created	C:\Windows\SysWOW64\Nffopp32.dll	Dgdgijhp.exe
File created	C:\Windows\SysWOW64\Jjigocdh.dll	Mlgjhp32.exe
File created	C:\Windows\SysWOW64\Joboincl.dll	Nfpghccm.exe
File created	C:\Windows\SysWOW64\Obfhmd32.exe	Okmpqjad.exe
File created	C:\Windows\SysWOW64\Pkmhgh32.exe	Pecpknke.exe
File created	C:\Windows\SysWOW64\Pkabbgol.exe	Piceflpi.exe
File opened for modification	C:\Windows\SysWOW64\Ciknefmk.exe	Cfmahknh.exe
File created	C:\Windows\SysWOW64\Hlhkja32.dll	Dllffa32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjckkcg.exe	Nbbnbemf.exe
File opened for modification	C:\Windows\SysWOW64\Bmfqngcg.exe	Bflham32.exe
File created	C:\Windows\SysWOW64\Ciiaogon.exe	Cfjeckpj.exe
File created	C:\Windows\SysWOW64\Cbgabh32.dll	Mebkge32.exe
File created	C:\Windows\SysWOW64\Qppkhfec.exe	Qifbll32.exe
File created	C:\Windows\SysWOW64\Gckjdhni.dll	Aflpkpjm.exe
File created	C:\Windows\SysWOW64\Kmjaeema.dll	Ofdqcc32.exe
File opened for modification	C:\Windows\SysWOW64\Pcfmneaa.exe	Pkoemhao.exe
File opened for modification	C:\Windows\SysWOW64\Cbhbbn32.exe	Cdebfago.exe
File created	C:\Windows\SysWOW64\Clpkdlkd.dll	Ocmjhfjl.exe
File opened for modification	C:\Windows\SysWOW64\Qppkhfec.exe	Qifbll32.exe
File created	C:\Windows\SysWOW64\Cfmidc32.dll	Bcbeqaia.exe
File created	C:\Windows\SysWOW64\Dqjhif32.dll	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Dedkogqm.exe	Dbfoclai.exe
File created	C:\Windows\SysWOW64\Maoifh32.exe	748f295aad985b50f7a44216dcd43950N.exe
File opened for modification	C:\Windows\SysWOW64\Nbbnbemf.exe	Nkhfek32.exe
File created	C:\Windows\SysWOW64\Qihoak32.exe	Qbngeadf.exe
File opened for modification	C:\Windows\SysWOW64\Okmpqjad.exe	Nfpghccm.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dlqpaafg.exe
File opened for modification	C:\Windows\SysWOW64\Cfjeckpj.exe	Cleqfb32.exe
File created	C:\Windows\SysWOW64\Hodcma32.dll	Debnjgcp.exe
File opened for modification	C:\Windows\SysWOW64\Nhjjip32.exe	Napameoi.exe
File created	C:\Windows\SysWOW64\Fflnkhef.dll	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Cleqfb32.exe	Cbmlmmjd.exe
File created	C:\Windows\SysWOW64\Obkcmi32.dll	Alpnde32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6048	5516	WerFault.exe	202

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbmlmmjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maoifh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Napameoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okmpqjad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ollljmhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcmpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qifbll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkeipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkhfec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijcpmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiabhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cleqfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpefaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefjnno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okceaikl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdqcenmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alpnde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbhbbn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nchhfild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddekmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mahklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdgijhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odedipge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moefdljc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbgnecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhofnpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmimdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomelheh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odljjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecpknke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcpika32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbfoclai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	748f295aad985b50f7a44216dcd43950N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfmneaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimhmkgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoemhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfjllnnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bflham32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpnpqakp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhnjna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mccokj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beaecjab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciiaogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgqie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Albkieqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciknefmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Debnjgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfbgiij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidomjaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdnelpod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmahknh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dibdeegc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhjjip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piceflpi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoggpbpn.dll"	Mlemcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlemcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhnjna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aimhmkgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abgjkpll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aioebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aiabhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhofnpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodcma32.dll"	Debnjgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aioebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcpika32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maoifh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balodg32.dll"	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflmkg32.dll"	Pijcpmhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beaecjab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklociap.dll"	Nkeipk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjckkcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Debnjgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmoncl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okceaikl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfmgqph.dll"	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicfep32.dll"	Ciknefmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkacdofa.dll"	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkamckh.dll"	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmccbngq.dll"	Aimhmkgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aidomjaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffopp32.dll"	Dgdgijhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfhegp32.dll"	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgnqacq.dll"	Okceaikl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Albkieqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhopqko.dll"	Bflham32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcpika32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdkapdh.dll"	Maoifh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofdqcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opepqban.dll"	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpgfeb32.dll"	Bifkcioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqbpidem.dll"	Dedkogqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	748f295aad985b50f7a44216dcd43950N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdjpphi.dll"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kannaq32.dll"	Pkoemhao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aimhmkgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkcmjlio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlefjnno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmfqngcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjgnln32.dll"	Dibdeegc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piceflpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmidc32.dll"	Bcbeqaia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	748f295aad985b50f7a44216dcd43950N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 1536	1320	748f295aad985b50f7a44216dcd43950N.exe	90
PID 1320 wrote to memory of 1536	1320	748f295aad985b50f7a44216dcd43950N.exe	90
PID 1320 wrote to memory of 1536	1320	748f295aad985b50f7a44216dcd43950N.exe	90
PID 1536 wrote to memory of 3536	1536	Maoifh32.exe	91
PID 1536 wrote to memory of 3536	1536	Maoifh32.exe	91
PID 1536 wrote to memory of 3536	1536	Maoifh32.exe	91
PID 3536 wrote to memory of 2836	3536	Mlemcq32.exe	92
PID 3536 wrote to memory of 2836	3536	Mlemcq32.exe	92
PID 3536 wrote to memory of 2836	3536	Mlemcq32.exe	92
PID 2836 wrote to memory of 1104	2836	Mkgmoncl.exe	93
PID 2836 wrote to memory of 1104	2836	Mkgmoncl.exe	93
PID 2836 wrote to memory of 1104	2836	Mkgmoncl.exe	93
PID 1104 wrote to memory of 4448	1104	Mdpagc32.exe	94
PID 1104 wrote to memory of 4448	1104	Mdpagc32.exe	94
PID 1104 wrote to memory of 4448	1104	Mdpagc32.exe	94
PID 4448 wrote to memory of 2888	4448	Mlgjhp32.exe	96
PID 4448 wrote to memory of 2888	4448	Mlgjhp32.exe	96
PID 4448 wrote to memory of 2888	4448	Mlgjhp32.exe	96
PID 2888 wrote to memory of 2540	2888	Moefdljc.exe	97
PID 2888 wrote to memory of 2540	2888	Moefdljc.exe	97
PID 2888 wrote to memory of 2540	2888	Moefdljc.exe	97
PID 2540 wrote to memory of 1080	2540	Mhnjna32.exe	98
PID 2540 wrote to memory of 1080	2540	Mhnjna32.exe	98
PID 2540 wrote to memory of 1080	2540	Mhnjna32.exe	98
PID 1080 wrote to memory of 4440	1080	Mccokj32.exe	100
PID 1080 wrote to memory of 4440	1080	Mccokj32.exe	100
PID 1080 wrote to memory of 4440	1080	Mccokj32.exe	100
PID 4440 wrote to memory of 1172	4440	Mebkge32.exe	101
PID 4440 wrote to memory of 1172	4440	Mebkge32.exe	101
PID 4440 wrote to memory of 1172	4440	Mebkge32.exe	101
PID 1172 wrote to memory of 4776	1172	Mkocol32.exe	102
PID 1172 wrote to memory of 4776	1172	Mkocol32.exe	102
PID 1172 wrote to memory of 4776	1172	Mkocol32.exe	102
PID 4776 wrote to memory of 4384	4776	Mahklf32.exe	103
PID 4776 wrote to memory of 4384	4776	Mahklf32.exe	103
PID 4776 wrote to memory of 4384	4776	Mahklf32.exe	103
PID 4384 wrote to memory of 1376	4384	Nlnpio32.exe	104
PID 4384 wrote to memory of 1376	4384	Nlnpio32.exe	104
PID 4384 wrote to memory of 1376	4384	Nlnpio32.exe	104
PID 1376 wrote to memory of 372	1376	Nchhfild.exe	105
PID 1376 wrote to memory of 372	1376	Nchhfild.exe	105
PID 1376 wrote to memory of 372	1376	Nchhfild.exe	105
PID 372 wrote to memory of 2004	372	Nkcmjlio.exe	107
PID 372 wrote to memory of 2004	372	Nkcmjlio.exe	107
PID 372 wrote to memory of 2004	372	Nkcmjlio.exe	107
PID 2004 wrote to memory of 1608	2004	Nfiagd32.exe	108
PID 2004 wrote to memory of 1608	2004	Nfiagd32.exe	108
PID 2004 wrote to memory of 1608	2004	Nfiagd32.exe	108
PID 1608 wrote to memory of 3616	1608	Nkeipk32.exe	109
PID 1608 wrote to memory of 3616	1608	Nkeipk32.exe	109
PID 1608 wrote to memory of 3616	1608	Nkeipk32.exe	109
PID 3616 wrote to memory of 832	3616	Napameoi.exe	110
PID 3616 wrote to memory of 832	3616	Napameoi.exe	110
PID 3616 wrote to memory of 832	3616	Napameoi.exe	110
PID 832 wrote to memory of 1268	832	Nhjjip32.exe	111
PID 832 wrote to memory of 1268	832	Nhjjip32.exe	111
PID 832 wrote to memory of 1268	832	Nhjjip32.exe	111
PID 1268 wrote to memory of 2812	1268	Nlefjnno.exe	112
PID 1268 wrote to memory of 2812	1268	Nlefjnno.exe	112
PID 1268 wrote to memory of 2812	1268	Nlefjnno.exe	112
PID 2812 wrote to memory of 2008	2812	Nkhfek32.exe	113
PID 2812 wrote to memory of 2008	2812	Nkhfek32.exe	113
PID 2812 wrote to memory of 2008	2812	Nkhfek32.exe	113
PID 2008 wrote to memory of 5024	2008	Nbbnbemf.exe	114

C:\Users\Admin\AppData\Local\Temp\748f295aad985b50f7a44216dcd43950N.exe
"C:\Users\Admin\AppData\Local\Temp\748f295aad985b50f7a44216dcd43950N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\SysWOW64\Maoifh32.exe
  C:\Windows\system32\Maoifh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\Mlemcq32.exe
    C:\Windows\system32\Mlemcq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Windows\SysWOW64\Mkgmoncl.exe
      C:\Windows\system32\Mkgmoncl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - C:\Windows\SysWOW64\Mlgjhp32.exe
        
        C:\Windows\system32\Mlgjhp32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Nlefjnno.exe
        
        C:\Windows\system32\Nlefjnno.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Nbbnbemf.exe
        
        C:\Windows\system32\Nbbnbemf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:184
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        42⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        50⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Afqifo32.exe
        
        C:\Windows\system32\Afqifo32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\Abgjkpll.exe
        
        C:\Windows\system32\Abgjkpll.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Alpnde32.exe
        
        C:\Windows\system32\Alpnde32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Acgfec32.exe
        
        C:\Windows\system32\Acgfec32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3448
        
        C:\Windows\SysWOW64\Afeban32.exe
        
        C:\Windows\system32\Afeban32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Albkieqj.exe
        
        C:\Windows\system32\Albkieqj.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Bfhofnpp.exe
        
        C:\Windows\system32\Bfhofnpp.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Bifkcioc.exe
        
        C:\Windows\system32\Bifkcioc.exe
        74⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Bclppboi.exe
        
        C:\Windows\system32\Bclppboi.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Bfjllnnm.exe
        
        C:\Windows\system32\Bfjllnnm.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Blgddd32.exe
        
        C:\Windows\system32\Blgddd32.exe
        77⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Bflham32.exe
        
        C:\Windows\system32\Bflham32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Bmfqngcg.exe
        
        C:\Windows\system32\Bmfqngcg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Bcpika32.exe
        
        C:\Windows\system32\Bcpika32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Bmimdg32.exe
        
        C:\Windows\system32\Bmimdg32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Windows\SysWOW64\Bcbeqaia.exe
        
        C:\Windows\system32\Bcbeqaia.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        85⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Cbhbbn32.exe
        
        C:\Windows\system32\Cbhbbn32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        87⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Cpnpqakp.exe
        
        C:\Windows\system32\Cpnpqakp.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Cbmlmmjd.exe
        
        C:\Windows\system32\Cbmlmmjd.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Cleqfb32.exe
        
        C:\Windows\system32\Cleqfb32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        91⤵
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Cdnelpod.exe
        
        C:\Windows\system32\Cdnelpod.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Cfmahknh.exe
        
        C:\Windows\system32\Cfmahknh.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Dllffa32.exe
        
        C:\Windows\system32\Dllffa32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Dbfoclai.exe
        
        C:\Windows\system32\Dbfoclai.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Dedkogqm.exe
        
        C:\Windows\system32\Dedkogqm.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Dlncla32.exe
        
        C:\Windows\system32\Dlncla32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Dgdgijhp.exe
        
        C:\Windows\system32\Dgdgijhp.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Dlqpaafg.exe
        
        C:\Windows\system32\Dlqpaafg.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 400
        108⤵
        Program crash
        
        PID:6048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5516 -ip 5516
1⤵
PID:5848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4324,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
1⤵
PID:6116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfhofnpp.exe

Filesize
77KB

MD5
0d11f04e50075650439a40c97ba19531

SHA1
cc20f97b053d74bc7994bede8c71f46adbafdea9

SHA256
822fa7c633dd9ad4787646a59e5d894b8a56694d10b5aac3da2190f571435479

SHA512
44b6f582f7a80660cbb6f2a02350698dfe4582b8de2d4841790cfb8db4d4327e8af38208079230592c0cfa646342b05853856dc0b86c3df67cbc64a1e646fed7

Download Submit
C:\Windows\SysWOW64\Cfmahknh.exe

Filesize
77KB

MD5
63b7819c79e177048528b78d606738b7

SHA1
65bc107c56b51d3e4661a83ad26c5f42041e79dd

SHA256
78bf49fe41a13526a1a56ae22453e4c65af3220ca828a17a1cd5563d17ab22e8

SHA512
bf449393ea2142725679b918af809ec9b0fb81f6daf2f90d73254ece9ed5a65cf2740ab420f222834c97169ac719ae8daa1412448d84c275674200c90bd6a046

Download Submit
C:\Windows\SysWOW64\Cleqfb32.exe

Filesize
77KB

MD5
cad5d5b237a0c6b1bd524a60e59fc39c

SHA1
8d895f6acedeb52295af6b71ee4a09cc664bf25b

SHA256
9930804b31867f9e645116dcdcbb3590041858f447b7d7a222fe36e386077540

SHA512
767f2977e46c5b69f2343cd3423244bb8198f4159c1525f4210cfc4277b5f50fbfbe67c3364f43194c45e56e864968d9502840ff30064d53f2c86eee18f0bfde

Download Submit
C:\Windows\SysWOW64\Debnjgcp.exe

Filesize
77KB

MD5
956a6a6d7c91db02bda5ec62ae909c2e

SHA1
6f4b465092a966788b586d0f8e4a2e0c594261be

SHA256
219e9fbc5bb92dce8ae7a8b27fe1207866a9d343493db711966a5becd53ad04e

SHA512
494802f99413b7303fce85e9e5653f0c447bc7f30b9390e011279b69889705069c31503c1427f47651bf8ad066878b294b2e5c905f79442c7983bfe3b096c6d4

Download Submit
C:\Windows\SysWOW64\Mahklf32.exe

Filesize
77KB

MD5
ce17f570f55b6cd1b1b601e50ed0a5d0

SHA1
6ebd317a4217129785ecd76fc70662cf4485bf0d

SHA256
329ab107a6f3718091f68d47205b8cba98b10c6261ca6e0d04fcd556ce888366

SHA512
1b4e1f2e31b5a7183565045a68cc6d97d46f6656b55f65e7798850536fa22ca912d717b159f48fa22eba8c7999adfa6904ca9ccd396f7f45ba6098e748b0c0a6

Download Submit
C:\Windows\SysWOW64\Maoifh32.exe

Filesize
77KB

MD5
32e6592b78a2d62d2e34cc0f0b653a3b

SHA1
6af3e4fff5505f84ad7651ead58919b8d68e7755

SHA256
6d6cd1beb94f09b04ca4a59acbc08f44f66f20e861029c56ffd825056175ddb8

SHA512
7c93501f9ecde2ad91df9f26172a37479a9a1150929563d2082facb4b3db09d7eec21b91f5f84b444690912d6b70c4040c75023de379e2c07d3811e17101ec03

Download Submit
C:\Windows\SysWOW64\Mccokj32.exe

Filesize
77KB

MD5
5cc42aa6c385624d74411ab1816f6c12

SHA1
4a563896fe2627c9367d36d6d2e6afdca90533d5

SHA256
955c1fd43396267d915c31df7490729581629f7de20adf5cf5a94062b0a8c4c5

SHA512
d931b6ee441805634b123324dcd77879e91ab980968ca892e8686fc78b95b72f1363d21ec951120e29c611df162a27d0fb8d0629799bb36bf754a1057f3d0ebe

Download Submit
C:\Windows\SysWOW64\Mdpagc32.exe

Filesize
77KB

MD5
2b000cad178f43cc7f42e174f5171914

SHA1
3fb9b19b10e9c00731a077e27382d56c36ee98c5

SHA256
bdeaae48dc2c49233cf3897bc8d5781c1672468c5e04f0ed1d35aa749fce7d1d

SHA512
0d0e1e51484dc4e73732df93e7b9068035515789744ca211c65fc6e456cc196d731f2e85131accaa900e6b4bdaba0cf08a5e0ef7d23361333b8ca883acab46c0

Download Submit
C:\Windows\SysWOW64\Mebkge32.exe

Filesize
77KB

MD5
f4e7e414277fae3e09e555bc54329cbd

SHA1
a5f2d9c3c926ba36b17a4b28ebc4638aff735b89

SHA256
fe92bf46e30d75d8fbc4f50439e1ca62a423983a74f32b780591cd80a68a44dc

SHA512
2b35b107bca2f1b956fdbffba96e3cf103a82601732753f14c6cdca9a1abff9a4a46a244645f8c23d3f96963853b7c8ab5c52980bdc16c6412417bc0bfdc2e92

Download Submit
C:\Windows\SysWOW64\Mhnjna32.exe

Filesize
77KB

MD5
1002657535e9aadc343a13e5044ad087

SHA1
2b97d5d3063b80d8b0b8f224e3ddbda4bc9fbbc5

SHA256
90a9e442269cdf9c1e0c78271a6291e541bc99f995627340fff04ae02599ada0

SHA512
df58096cda6ee3f993c38cf519a211ca0a3564a087cd088090bf99790e2d5e913caa95bd987df1d085204cd480952a9b1bf7b2a1446a8603a399f75f2369f5ff

Download Submit
C:\Windows\SysWOW64\Mkgmoncl.exe

Filesize
77KB

MD5
bb75b23ee50aebb79f99e5ec5c323d8b

SHA1
4d838b780c0859fd0770b92522d59f63e95d5d11

SHA256
fc25848a6b53f02ce64be142d70251e370f862f3ba28407fb4dfd276236ea087

SHA512
9a9ce24a1a3fde32fe51a720897870017721a9086b4b47a59612d0572e5f3961a3b3284b9141c83a348d251d777ca8cd5c2c449dd87d092d5f53a5ad3e5f6568

Download Submit
C:\Windows\SysWOW64\Mkocol32.exe

Filesize
77KB

MD5
c1144fb6e0db9719bc20e5d80adfb95b

SHA1
3f9ad764e468eb9451fd20c18241183acbdc44b6

SHA256
2a8f4d8c842618100674836a14570f5825fbd7c535adea059bd66a124b867cf8

SHA512
24196f2bf42fed9735513546842215d30ae35be351f305f14dc9634ce8d06d16a44d1df51dafc8994d9a230686bddfa2c50b496faa62d1d48749d24eda68310c

Download Submit
C:\Windows\SysWOW64\Mlemcq32.exe

Filesize
77KB

MD5
d0d9821cf250e3977be68bd32b9e8c09

SHA1
5682ed539e9225ca7ea407d99de9dd0b0e0ad9f6

SHA256
a14341b19ff15454361433c1ef409a08f97ecade32f183d52510fe9a37dab7d5

SHA512
c2a815feb047b7cab6ecce9445a8936df5f6f0ea2fe54a738b287e38118c3a79bd4c9a87220b486239f35deb44885d5790db3b2e55ff46eec60c9dd349b45593

Download Submit
C:\Windows\SysWOW64\Mlgjhp32.exe

Filesize
77KB

MD5
b8f1fc43287f9122da5ba88498e6e8a9

SHA1
517db3c582adb5019f7fbd9282b61e2672f17ad3

SHA256
42ec4d2fc5ffb38f608bbf571f6618d08f5c0a2c6e147924bf38dd6fa2955605

SHA512
85cb4044e6cccf13fac9b842b3a8531e37bbbe5d38cddd10fa43fdbdb46bff6945c23a1fdd9f2b13165eebd7d29f339f8167d6a76702caea50deb2f275fd9e1b

Download Submit
C:\Windows\SysWOW64\Moefdljc.exe

Filesize
77KB

MD5
ba6a3fe7ef48cff1d5dc2e6cd83ed967

SHA1
db40788c6a409f91603b681b68cdf7bf27c1aab8

SHA256
e6927175d51bad198016c1c72403fd734951a6bddd2a7013fd51166c1d27bf4e

SHA512
1f08f74ce3bd9c872548b3d665fdb9b8dc5ceba252597c1de49cecbd5edd128a27e3e9b53b2b8c872a30882e21a9678ac5bb9ce2030e7b74dcae7a2e0d015fc7

Download Submit
C:\Windows\SysWOW64\Napameoi.exe

Filesize
77KB

MD5
9f9b8ab7a754769c2dcc659dfee31740

SHA1
64dfa0cd612bf5c07604eae78187756a15eda9df

SHA256
db1906d37c36258b6cff6b27302d90c2aa2e78e4f77cb343b92d6bf0c81c7fc9

SHA512
8123fa3981efeb6ec19388315bcbb279e48c66b8aec933578ef7b7b25e3e423e4970a92da0d56419c7ec09e06bcc4b258602c480239dc08c05786ef7bb60bba2

Download Submit
C:\Windows\SysWOW64\Nbbnbemf.exe

Filesize
77KB

MD5
1529a780b7127f35b59c761620adc28d

SHA1
895d5f6d6683a22022753d970eac595f423fc1cd

SHA256
4504a1f7f0bb23044fc4317121d8f64dd6df4f8df0360f2329b431fff6435933

SHA512
58f45e7e06952adbddf512732d1c85128b18c31a7e45153c2a4097eee99d6ba0278e6ac2a563e5c262832dcb9e507d2107223fbef39258193c3f23e8f80606a4

Download Submit
C:\Windows\SysWOW64\Nchhfild.exe

Filesize
77KB

MD5
a51ea8fa92078f2717eeae1a0e4df49d

SHA1
a2e1e2e66f025728369ee30ea8f2fc91e63a74f7

SHA256
b19bf56762bbcb21e41378168a6778c53620fd3970e9cd544c74044fe0afa6c8

SHA512
83b9bd75530d047c844dc98766423b132e17df50604afa0a979ea182124438c55113227eb05e90e255807106f24e095bc09bb21bdd30c573c2b84f359cc17231

Download Submit
C:\Windows\SysWOW64\Nfiagd32.exe

Filesize
77KB

MD5
ca354b45d7609431181214a2163f540f

SHA1
da7af9e85da2f161bf15a0b8cefcc524632b9998

SHA256
6082f4255e8aea1ffcdb1d7053720d7678a1ba4632ffffe5d439c8c0b52ed51e

SHA512
23633e908083f691934eeb008b38254fe43de6182376fed69785c9c8beb7351aa1e24ff8f6ac848072e871a3d5cc46386bf8de64909a38e081fa9982054735e5

Download Submit
C:\Windows\SysWOW64\Nfpghccm.exe

Filesize
77KB

MD5
dc0b3c4c3840c1e4c6763078271ed3ec

SHA1
80c2842463652542a2074254d0670bc3422c823e

SHA256
8b3d009a89c6309cb75e4bbea1f29a58677711d9deef6ca8621d4024714e75ce

SHA512
3f042738e874efd00dfe0df704275ac43cd99e31eed014914ba6f7221d04f6014ec776bdc6dc63ebac5b140dfc438c8a36c2e3e3d23ac5f615fd3788488b7d62

Download Submit
C:\Windows\SysWOW64\Nhjjip32.exe

Filesize
77KB

MD5
6679ef4eed81f3175a3a48798ecb7b5e

SHA1
4871676238293e7698d26958e2df35dab45a2260

SHA256
8cac49247eb14807eb67a619933e846cc664faf96d27f2d2fd15cb508b83f37d

SHA512
cdf563571f45f4129ab0294748e5bfcab00d3b1d1f4e712801dac7e389818d97e1dc6ed3f2aa4af0010ad6bba4df2d732c17b52a9b11105f39295dc92135bcab

Download Submit
C:\Windows\SysWOW64\Nkcmjlio.exe

Filesize
77KB

MD5
6adeb937b43c5b1e566a7175122074a1

SHA1
111cedc82d0fe3c75d54bcb602262f0d195b15e6

SHA256
2b60a5577ffd6ca9823256410f18d3bb35eeabac0adb48346fdfb835e28ffabe

SHA512
297d394aec0817a644604a10e5cf5a5660a499b3aaae0af3cafc66f7b2942166aa32cd31354c672e5b331ca05aad1479c47a3177c9e37a2241ba63696aa9e44f

Download Submit
C:\Windows\SysWOW64\Nkeipk32.exe

Filesize
77KB

MD5
657c08708d18e318ec3ce29cd781630b

SHA1
7d17161895f96085587906c99861873dbf723586

SHA256
77440afe1afb4a9cdf52411f319d9f65a88a34a59f4bde8f0fc330f60d5e6c22

SHA512
af12f6ffa70dfade9676ca81501e367a9b6bdc49c3956ce5934cf9aa669ef9fcce1ab56ba0dc0b0b82290e07b1303899e6df14da011f8b575af67502b97bfd75

Download Submit
C:\Windows\SysWOW64\Nkhfek32.exe

Filesize
77KB

MD5
eba43a2d4344517ddde32d477349198f

SHA1
273c987c806952cd42253219167603e5c57ee72c

SHA256
6fe2a22cf71800aa71f74f8eb1b7f979ba1603efc5ec78730fa4d991b4225859

SHA512
4033dac02f91a9296a50d74c503aa676c69fc83b460d19b1d61977eee0bb71be3b50593f8d16400b338a8820e9254a4ee41460f04d06abb2f30703d3bf143432

Download Submit
C:\Windows\SysWOW64\Nkjckkcg.exe

Filesize
77KB

MD5
f9a1bd690f284614e350f0c833b2906f

SHA1
fbfdc1fcbbb60ec96a881aa2146a472e30e5654b

SHA256
7b52c06069d1b84cb0313fca909d731ff1827bbe6d62c78c06cae60b8c2c2075

SHA512
209d5f90d2849a7cb1606642b7b5f78f2ca1e716ba18c93763ea39d58938278e79952057c2b6da891988792fd914f6624c44e48cc72b8af1c428cc9e2ec5e5b3

Download Submit
C:\Windows\SysWOW64\Nlefjnno.exe

Filesize
77KB

MD5
f866c6f0d35ef68e8646c75953cdc42f

SHA1
d416bda7728bcb4165f99a39a438f7eef0889cf4

SHA256
d96eda9038c2f1120581ca7a1731b8b2a82ded04989bfad7edc06e4c01a775bc

SHA512
e02ee7f6ae74fd24fd521df118c4ff4cc292b701340261b63dc7eca55ca5e80d17f7b03dd97ce3bbb84fe9a9f418cc43078dba1daf7e5a12e6e9efcc32ed59e5

Download Submit
C:\Windows\SysWOW64\Nlnpio32.exe

Filesize
77KB

MD5
4d35fabf96219c7631c9eda7cf1812cb

SHA1
84d02044b5e9da9400b481d4fd478eb4e1dbc7b0

SHA256
e2874f53b9e2952f6433d4c70643e6c73d1b7273343129ffb670029457e14ec7

SHA512
b7deb282ac2fd501096e856d1ec4f9374a907cedc7fc8d5824dc3f9404ba9beff2bf73722278fad77a3cd59770a715b197ded5ad9c06b1118c69eec0b6d294fe

Download Submit
C:\Windows\SysWOW64\Obfhmd32.exe

Filesize
77KB

MD5
78de1b89ff9ebe44efd4a3dd392feeb6

SHA1
55489e3c452190196b09213b43b8e283da2cc2e9

SHA256
88bb94683829483787b4d9dd946a6f10a56f1d100fe8ccb5e03d80d7d07a9817

SHA512
cfd4ee4e00320a749a4f158dcd8d90573968b395d6691f7966cddead99c86ed3665a731f3341a5bcaff6ae1885fe50920bce04315ea6e93c5a2ed13b373fc502

Download Submit
C:\Windows\SysWOW64\Odedipge.exe

Filesize
77KB

MD5
db766cdd1db64848595a525a40a4ab1e

SHA1
08432e0e5b85ee80fccde31fb791be4abcde4aa9

SHA256
0cb8466e7ca2f595546a9348f676796802f8da06169871709c659049b9dbec3b

SHA512
aea3e7bd731f2813656acb457443329f957c8b0c5f37d79cfb3e2edd95074a768b43987ed9b0ce17d71aa85b9f7b1573ded4478398e7a4160b33d17443484a9e

Download Submit
C:\Windows\SysWOW64\Ofdqcc32.exe

Filesize
77KB

MD5
e64edd0028b3171f7ebfe2096df34dcc

SHA1
850cbdc90b260b00eae403d52416e7e5bf39d91f

SHA256
335c733d3cbe4962d2e7610c2e67f7544c19b04c74169c1d331b5bf341b63cf1

SHA512
8e25d8c4687170a5f88d0787dac46cc661c6cc53a4dd23f2dc61e9b97c6af44da979c358880a3f99d261fb374429913ed8371285c14651dbf1585d7b74456ad7

Download Submit
C:\Windows\SysWOW64\Ohcmpn32.exe

Filesize
77KB

MD5
ca01be583e9ca290677ba12c7a324e05

SHA1
bff9493f563d09e713d08b8c7d68fe75652044ca

SHA256
2f5b8a917ed099d6fa6668e32b53795f65aa94112e7fe72e35e0551a5b0404dd

SHA512
991afd255d362d83432c7c709cb6393337e92c6bfc1912ef82352d0f2db671f73c209252ecf3d560e8bfcfe86082a0eb5a31d4105d5643893336e0e7a16e6e2f

Download Submit
C:\Windows\SysWOW64\Okceaikl.exe

Filesize
77KB

MD5
22c917ac1dc4dd2f650d85336246c0d7

SHA1
0279419390c22a0b7e2cd2a34d348ae8c9624d14

SHA256
51bbf758f6a26c3836e96899b66be5844a7923b94dd6137648dfd385be82d22f

SHA512
9ec238d9719593ab60dabddc78cfdb027b66b379f1a35145be96f61ebaba4d4dcc178d5d37a5fd1b0c3f4adfd43088ffd10fb19cd6e3135223910d48148375c5

Download Submit
C:\Windows\SysWOW64\Okmpqjad.exe

Filesize
77KB

MD5
90a09b90fe9c056ea4b674ff87d13d4b

SHA1
af1a782070668760cc4c04a0d3c24a3ed568cb38

SHA256
9a365e5bee3c41866cc340720fab5900a229f1a2334541514994800d07ea7b44

SHA512
801319d7817d3516b9b3da133678a2e31d1148e0a15b48f35cb5441eea23c045b4f13744349f3bfa28bf727a565697477435d4a538c3026f050db2310109c61c

Download Submit
C:\Windows\SysWOW64\Ollljmhg.exe

Filesize
77KB

MD5
e6d5951474770b35cce6d6f1ac845945

SHA1
c3cf2d30da8e47a85c0bd6e188d62290a559e023

SHA256
c44ff3ab4d5dcbfd44c65016d265febc9b5099b038c4a4250aacd705260d5d7d

SHA512
edd44a4dd7a7d76ec61781e478658d9dc6c3c8e14621d6e24b24310941873cd621097cf161d37bb73f2264b1e448a1802a99713ceb0a8a6eaf17191abe8cea95

Download Submit
C:\Windows\SysWOW64\Ookhfigk.exe

Filesize
77KB

MD5
d9a236d7ddba039285e4636bd780ea40

SHA1
ba9f3c3f290df53f9a83b89c06a9c36b76fd9e4b

SHA256
bae07b2e5c0a75b94803774fc8a5651db29237b5fb642b9fe71594d5cea60606

SHA512
86d44517a6588225a66c39585c1ebddb05714b470ab51f757574ac10429c06cb42e6339b184ae4fc8f8413bb62a62344633a968649e59b249c29f23ae973c5f2

Download Submit
C:\Windows\SysWOW64\Oomelheh.exe

Filesize
77KB

MD5
5656cfc3a229b36e4dbeef2f62ff2ca1

SHA1
0ca00b062eb2192f628980c1657e94d6b33cdc60

SHA256
426ad0107562fa4a0acd5772da7a477457e01a38be6f46edcbf51bc2ce5311cc

SHA512
96ee68a270fdcaa3896ce07e65a311c7b1d5ba186e7732b71a6a274657afda75b111772898ac017d96f595c7ed2b9fdae2324175c5cf165b9e88efe4f923e019

Download Submit
C:\Windows\SysWOW64\Qpbgnecp.exe

Filesize
77KB

MD5
6e118ad9c0f4d5393d5d377be9929819

SHA1
40a858af34e241368038247c5d7061ec513932fe

SHA256
6d2cc5da5f5bb610464b18b31123f8a5ffe3698eb13e968c510b8a90e99060b2

SHA512
f10c86f6fc67b8d2af9d32b14e77768f51d9da81afe8e97e54ae110de03533235d61526ea2936bebbea47529f0175248c689d5a142a52d8b5aefc893bace9f03

Download Submit
memory/32-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/184-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/372-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/464-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/632-381-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/832-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1048-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1104-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1104-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1172-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1268-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1320-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1320-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1320-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1372-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1376-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1464-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1592-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2004-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2008-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2160-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2216-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2352-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2784-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2952-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2992-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3172-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3180-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3192-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3372-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3448-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3616-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3780-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4044-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4128-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4384-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4400-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4420-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4448-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4448-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4640-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4776-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4952-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5024-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5160-483-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5200-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5240-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5280-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5320-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5360-513-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5396-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5440-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5488-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5528-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5584-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5640-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5688-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5736-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5784-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5828-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5868-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5920-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads