4131c71d93b2897b2eb786f4a8141e765b3ba261a7a51490e86332d592a79312

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca5b5d72518e82b19621a4062403fce0N.exe
Size

404KB
MD5

ca5b5d72518e82b19621a4062403fce0
SHA1

7c5f80d6c2a45dd44fb1582166f32a9bc34e0ea9
SHA256

4131c71d93b2897b2eb786f4a8141e765b3ba261a7a51490e86332d592a79312
SHA512

3ad58344fc0daee73ca989b1e19c4b6a4fcfd2b3f97dafebc46efbe12997a713279c070b5a77b4419837bccac1398e43f9b5a4f5df63ee8392536b426f497404
SSDEEP

6144:j6Rh9gxaO25TENm+3Mpui6yYPaIGckfru5xyDpui6yYPaIGckSU05836S5:yhmCawcMpV6yYP4rbpV6yYPg058KS

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nheqnpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beoimjce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdebfago.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blknpdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cefoni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nheqnpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abgjkpll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bimach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbefln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbhbbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ochamg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abpcja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemlhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfabmmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odjmdocp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apimodmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpqlfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cekhihig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Alkeifga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cemeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmahknh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofbdncaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beaecjab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmmgof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Napameoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aehbmk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmagch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Debnjgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohncdobq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbngeadf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bejobk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lamlphoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nooikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ca5b5d72518e82b19621a4062403fce0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	ca5b5d72518e82b19621a4062403fce0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amoknh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odbgdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocfdgg32.exe

Executes dropped EXE 64 IoCs

pid	Process
3088	Lamlphoo.exe
2860	Moalil32.exe
4988	Maoifh32.exe
2268	Nlnpio32.exe
1880	Nchhfild.exe
2620	Nheqnpjk.exe
4544	Nooikj32.exe
3300	Nhgmcp32.exe
1132	Napameoi.exe
3288	Nhjjip32.exe
4840	Nconfh32.exe
4964	Nfnjbdep.exe
916	Nhlfoodc.exe
2652	Nkjckkcg.exe
4844	Ncaklhdi.exe
1056	Nbdkhe32.exe
2528	Odbgdp32.exe
5072	Ohncdobq.exe
2720	Okmpqjad.exe
4340	Oohkai32.exe
4144	Ocdgahag.exe
5016	Ofbdncaj.exe
5040	Odedipge.exe
4352	Ollljmhg.exe
2472	Okolfj32.exe
3500	Ocfdgg32.exe
3548	Obidcdfo.exe
2764	Ofdqcc32.exe
4520	Odgqopeb.exe
3192	Oloipmfd.exe
2400	Oomelheh.exe
4156	Ochamg32.exe
2520	Ofgmib32.exe
4884	Odjmdocp.exe
3940	Omaeem32.exe
4584	Okceaikl.exe
5160	Ocknbglo.exe
5196	Ofijnbkb.exe
5244	Odljjo32.exe
5284	Omcbkl32.exe
5316	Ooangh32.exe
5364	Ocmjhfjl.exe
5400	Oflfdbip.exe
5436	Pdngpo32.exe
5476	Pmeoqlpl.exe
5524	Podkmgop.exe
5556	Pcpgmf32.exe
5596	Pfncia32.exe
5636	Pdqcenmg.exe
5684	Pilpfm32.exe
5720	Pofhbgmn.exe
5756	Pbddobla.exe
5804	Pfppoa32.exe
5836	Piolkm32.exe
5876	Pmjhlklg.exe
5916	Poidhg32.exe
5956	Pcdqhecd.exe
6004	Pfbmdabh.exe
6036	Piaiqlak.exe
6076	Pkoemhao.exe
6116	Pokanf32.exe
1864	Pbimjb32.exe
3704	Pehjfm32.exe
1212	Pmoagk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pilpfm32.exe	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Amoknh32.exe	Aehbmk32.exe
File created	C:\Windows\SysWOW64\Cqbolk32.dll	Bfjllnnm.exe
File created	C:\Windows\SysWOW64\Odjmdocp.exe	Ofgmib32.exe
File opened for modification	C:\Windows\SysWOW64\Ocmjhfjl.exe	Ooangh32.exe
File created	C:\Windows\SysWOW64\Ngllodpm.dll	Cidgdg32.exe
File created	C:\Windows\SysWOW64\Okmpqjad.exe	Ohncdobq.exe
File created	C:\Windows\SysWOW64\Lhlaofoa.dll	Apgqie32.exe
File created	C:\Windows\SysWOW64\Dipgpf32.exe	Dbfoclai.exe
File created	C:\Windows\SysWOW64\Nooikj32.exe	Nheqnpjk.exe
File created	C:\Windows\SysWOW64\Abohmm32.dll	Nconfh32.exe
File opened for modification	C:\Windows\SysWOW64\Pbddobla.exe	Pofhbgmn.exe
File created	C:\Windows\SysWOW64\Obkcmi32.dll	Alpnde32.exe
File opened for modification	C:\Windows\SysWOW64\Aehbmk32.exe	Abjfqpji.exe
File opened for modification	C:\Windows\SysWOW64\Ooangh32.exe	Omcbkl32.exe
File opened for modification	C:\Windows\SysWOW64\Oflfdbip.exe	Ocmjhfjl.exe
File opened for modification	C:\Windows\SysWOW64\Qkdohg32.exe	Qifbll32.exe
File created	C:\Windows\SysWOW64\Eobepglo.dll	Aiabhj32.exe
File created	C:\Windows\SysWOW64\Bldgoeog.exe	Bmagch32.exe
File created	C:\Windows\SysWOW64\Bbefln32.exe	Bpgjpb32.exe
File created	C:\Windows\SysWOW64\Oihlnd32.dll	Dmifkecb.exe
File opened for modification	C:\Windows\SysWOW64\Bimach32.exe	Beaecjab.exe
File opened for modification	C:\Windows\SysWOW64\Akihcfid.exe	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Cifdjg32.exe	Cekhihig.exe
File created	C:\Windows\SysWOW64\Lamlphoo.exe	ca5b5d72518e82b19621a4062403fce0N.exe
File opened for modification	C:\Windows\SysWOW64\Nlnpio32.exe	Maoifh32.exe
File opened for modification	C:\Windows\SysWOW64\Nchhfild.exe	Nlnpio32.exe
File created	C:\Windows\SysWOW64\Hfqgoo32.dll	Qpbgnecp.exe
File created	C:\Windows\SysWOW64\Fmfbakio.dll	Nchhfild.exe
File created	C:\Windows\SysWOW64\Omclnn32.dll	Nhjjip32.exe
File opened for modification	C:\Windows\SysWOW64\Nhlfoodc.exe	Nfnjbdep.exe
File created	C:\Windows\SysWOW64\Oohkai32.exe	Okmpqjad.exe
File created	C:\Windows\SysWOW64\Dfhegp32.dll	Ofbdncaj.exe
File created	C:\Windows\SysWOW64\Bbndhppc.dll	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Qfgfpp32.exe	Pcijce32.exe
File created	C:\Windows\SysWOW64\Nbdkhe32.exe	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Pmjhlklg.exe	Piolkm32.exe
File created	C:\Windows\SysWOW64\Pcdqhecd.exe	Poidhg32.exe
File created	C:\Windows\SysWOW64\Mmccbngq.dll	Alkeifga.exe
File created	C:\Windows\SysWOW64\Clbdpc32.exe	Cidgdg32.exe
File created	C:\Windows\SysWOW64\Gpngef32.dll	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Doklblnq.dll	Acgfec32.exe
File created	C:\Windows\SysWOW64\Apngjd32.exe	Amoknh32.exe
File created	C:\Windows\SysWOW64\Blknpdho.exe	Bimach32.exe
File created	C:\Windows\SysWOW64\Cidgdg32.exe	Cehlcikj.exe
File created	C:\Windows\SysWOW64\Aiaeig32.dll	Odedipge.exe
File created	C:\Windows\SysWOW64\Pmeoqlpl.exe	Pdngpo32.exe
File opened for modification	C:\Windows\SysWOW64\Qmckbjdl.exe	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Dmifkecb.exe	Debnjgcp.exe
File created	C:\Windows\SysWOW64\Nffopp32.dll	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Haafdi32.dll	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Aflpkpjm.exe	Abpcja32.exe
File opened for modification	C:\Windows\SysWOW64\Bclppboi.exe	Bldgoeog.exe
File opened for modification	C:\Windows\SysWOW64\Dbfoclai.exe	Dpgbgpbe.exe
File opened for modification	C:\Windows\SysWOW64\Maoifh32.exe	Moalil32.exe
File created	C:\Windows\SysWOW64\Ncaklhdi.exe	Nkjckkcg.exe
File opened for modification	C:\Windows\SysWOW64\Pfppoa32.exe	Pbddobla.exe
File opened for modification	C:\Windows\SysWOW64\Cifdjg32.exe	Cekhihig.exe
File created	C:\Windows\SysWOW64\Ioeiam32.dll	Ddekmo32.exe
File created	C:\Windows\SysWOW64\Fhmeii32.dll	Okmpqjad.exe
File opened for modification	C:\Windows\SysWOW64\Qppkhfec.exe	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Qppkhfec.exe	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Ocdgahag.exe	Oohkai32.exe
File opened for modification	C:\Windows\SysWOW64\Bblcfo32.exe	Apngjd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4476	6332	WerFault.exe	243

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjfqpji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmmgof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nconfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okolfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofhbgmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acppddig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obidcdfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjhlklg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poidhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cifdjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmahknh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alkeifga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abgjkpll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beaecjab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmjhfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpgjpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nooikj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amoknh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmeoqlpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqhecd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfgfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdebfago.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Debnjgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blknpdho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdgolq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cidgdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddekmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nchhfild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odljjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apimodmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bimach32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cemeoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dibdeegc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Napameoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbdkhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cefoni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bldgoeog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomelheh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjmdocp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acgfec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apngjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejobk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maoifh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfnjbdep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpqlfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clijablo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmnpfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dipgpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhlikpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhlfoodc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbimjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beoimjce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbgnecp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbhbbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okcfidmn.dll"	Napameoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfnjbdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdfnq32.dll"	Ollljmhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ca5b5d72518e82b19621a4062403fce0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlaofoa.dll"	Apgqie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acgfec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beoimjce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihlnd32.dll"	Dmifkecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpgbgpbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Omaeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonhbi32.dll"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bejobk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpgfeb32.dll"	Bldgoeog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nhjjip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipjam32.dll"	Odbgdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdphmfph.dll"	Bclppboi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcdqhecd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcpika32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qifbll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	ca5b5d72518e82b19621a4062403fce0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkpjjj32.dll"	Cemeoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bliajd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lamlphoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odbgdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Poidhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icldmjph.dll"	Bmagch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cekhihig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbfoclai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbdkhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Okolfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbelak32.dll"	Cmgjee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ollljmhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmjhlklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afqifo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbooabbb.dll"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpngef32.dll"	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odedipge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmole32.dll"	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgeebem.dll"	Apimodmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aahgec32.dll"	Bmfqngcg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 3088	2736	ca5b5d72518e82b19621a4062403fce0N.exe	91
PID 2736 wrote to memory of 3088	2736	ca5b5d72518e82b19621a4062403fce0N.exe	91
PID 2736 wrote to memory of 3088	2736	ca5b5d72518e82b19621a4062403fce0N.exe	91
PID 3088 wrote to memory of 2860	3088	Lamlphoo.exe	93
PID 3088 wrote to memory of 2860	3088	Lamlphoo.exe	93
PID 3088 wrote to memory of 2860	3088	Lamlphoo.exe	93
PID 2860 wrote to memory of 4988	2860	Moalil32.exe	94
PID 2860 wrote to memory of 4988	2860	Moalil32.exe	94
PID 2860 wrote to memory of 4988	2860	Moalil32.exe	94
PID 4988 wrote to memory of 2268	4988	Maoifh32.exe	96
PID 4988 wrote to memory of 2268	4988	Maoifh32.exe	96
PID 4988 wrote to memory of 2268	4988	Maoifh32.exe	96
PID 2268 wrote to memory of 1880	2268	Nlnpio32.exe	97
PID 2268 wrote to memory of 1880	2268	Nlnpio32.exe	97
PID 2268 wrote to memory of 1880	2268	Nlnpio32.exe	97
PID 1880 wrote to memory of 2620	1880	Nchhfild.exe	98
PID 1880 wrote to memory of 2620	1880	Nchhfild.exe	98
PID 1880 wrote to memory of 2620	1880	Nchhfild.exe	98
PID 2620 wrote to memory of 4544	2620	Nheqnpjk.exe	99
PID 2620 wrote to memory of 4544	2620	Nheqnpjk.exe	99
PID 2620 wrote to memory of 4544	2620	Nheqnpjk.exe	99
PID 4544 wrote to memory of 3300	4544	Nooikj32.exe	100
PID 4544 wrote to memory of 3300	4544	Nooikj32.exe	100
PID 4544 wrote to memory of 3300	4544	Nooikj32.exe	100
PID 3300 wrote to memory of 1132	3300	Nhgmcp32.exe	101
PID 3300 wrote to memory of 1132	3300	Nhgmcp32.exe	101
PID 3300 wrote to memory of 1132	3300	Nhgmcp32.exe	101
PID 1132 wrote to memory of 3288	1132	Napameoi.exe	102
PID 1132 wrote to memory of 3288	1132	Napameoi.exe	102
PID 1132 wrote to memory of 3288	1132	Napameoi.exe	102
PID 3288 wrote to memory of 4840	3288	Nhjjip32.exe	103
PID 3288 wrote to memory of 4840	3288	Nhjjip32.exe	103
PID 3288 wrote to memory of 4840	3288	Nhjjip32.exe	103
PID 4840 wrote to memory of 4964	4840	Nconfh32.exe	104
PID 4840 wrote to memory of 4964	4840	Nconfh32.exe	104
PID 4840 wrote to memory of 4964	4840	Nconfh32.exe	104
PID 4964 wrote to memory of 916	4964	Nfnjbdep.exe	105
PID 4964 wrote to memory of 916	4964	Nfnjbdep.exe	105
PID 4964 wrote to memory of 916	4964	Nfnjbdep.exe	105
PID 916 wrote to memory of 2652	916	Nhlfoodc.exe	106
PID 916 wrote to memory of 2652	916	Nhlfoodc.exe	106
PID 916 wrote to memory of 2652	916	Nhlfoodc.exe	106
PID 2652 wrote to memory of 4844	2652	Nkjckkcg.exe	107
PID 2652 wrote to memory of 4844	2652	Nkjckkcg.exe	107
PID 2652 wrote to memory of 4844	2652	Nkjckkcg.exe	107
PID 4844 wrote to memory of 1056	4844	Ncaklhdi.exe	108
PID 4844 wrote to memory of 1056	4844	Ncaklhdi.exe	108
PID 4844 wrote to memory of 1056	4844	Ncaklhdi.exe	108
PID 1056 wrote to memory of 2528	1056	Nbdkhe32.exe	109
PID 1056 wrote to memory of 2528	1056	Nbdkhe32.exe	109
PID 1056 wrote to memory of 2528	1056	Nbdkhe32.exe	109
PID 2528 wrote to memory of 5072	2528	Odbgdp32.exe	110
PID 2528 wrote to memory of 5072	2528	Odbgdp32.exe	110
PID 2528 wrote to memory of 5072	2528	Odbgdp32.exe	110
PID 5072 wrote to memory of 2720	5072	Ohncdobq.exe	111
PID 5072 wrote to memory of 2720	5072	Ohncdobq.exe	111
PID 5072 wrote to memory of 2720	5072	Ohncdobq.exe	111
PID 2720 wrote to memory of 4340	2720	Okmpqjad.exe	112
PID 2720 wrote to memory of 4340	2720	Okmpqjad.exe	112
PID 2720 wrote to memory of 4340	2720	Okmpqjad.exe	112
PID 4340 wrote to memory of 4144	4340	Oohkai32.exe	113
PID 4340 wrote to memory of 4144	4340	Oohkai32.exe	113
PID 4340 wrote to memory of 4144	4340	Oohkai32.exe	113
PID 4144 wrote to memory of 5016	4144	Ocdgahag.exe	114

C:\Users\Admin\AppData\Local\Temp\ca5b5d72518e82b19621a4062403fce0N.exe
"C:\Users\Admin\AppData\Local\Temp\ca5b5d72518e82b19621a4062403fce0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\Lamlphoo.exe
  C:\Windows\system32\Lamlphoo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Windows\SysWOW64\Moalil32.exe
    C:\Windows\system32\Moalil32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\SysWOW64\Maoifh32.exe
      C:\Windows\system32\Maoifh32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
      - C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Ocdgahag.exe
        
        C:\Windows\system32\Ocdgahag.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        30⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        31⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        38⤵
        Executes dropped EXE
        
        PID:5160
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5196
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5596
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:6004
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        61⤵
        Executes dropped EXE
        
        PID:6076
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        71⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:648
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        77⤵
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        79⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        81⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        82⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Alkeifga.exe
        
        C:\Windows\system32\Alkeifga.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Afqifo32.exe
        
        C:\Windows\system32\Afqifo32.exe
        85⤵
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Almanf32.exe
        
        C:\Windows\system32\Almanf32.exe
        87⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Abgjkpll.exe
        
        C:\Windows\system32\Abgjkpll.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6180
        
        C:\Windows\SysWOW64\Afceko32.exe
        
        C:\Windows\system32\Afceko32.exe
        90⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        91⤵
        Drops file in System32 directory
        
        PID:6260
        
        C:\Windows\SysWOW64\Alpnde32.exe
        
        C:\Windows\system32\Alpnde32.exe
        92⤵
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Acgfec32.exe
        
        C:\Windows\system32\Acgfec32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Abjfqpji.exe
        
        C:\Windows\system32\Abjfqpji.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6388
        
        C:\Windows\SysWOW64\Aehbmk32.exe
        
        C:\Windows\system32\Aehbmk32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Amoknh32.exe
        
        C:\Windows\system32\Amoknh32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6460
        
        C:\Windows\SysWOW64\Apngjd32.exe
        
        C:\Windows\system32\Apngjd32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6512
        
        C:\Windows\SysWOW64\Bblcfo32.exe
        
        C:\Windows\system32\Bblcfo32.exe
        98⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Bmagch32.exe
        
        C:\Windows\system32\Bmagch32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6632
        
        C:\Windows\SysWOW64\Bldgoeog.exe
        
        C:\Windows\system32\Bldgoeog.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Bclppboi.exe
        
        C:\Windows\system32\Bclppboi.exe
        102⤵
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Bfjllnnm.exe
        
        C:\Windows\system32\Bfjllnnm.exe
        103⤵
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6784
        
        C:\Windows\SysWOW64\Bmddihfj.exe
        
        C:\Windows\system32\Bmddihfj.exe
        105⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Beoimjce.exe
        
        C:\Windows\system32\Beoimjce.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6864
        
        C:\Windows\SysWOW64\Bmfqngcg.exe
        
        C:\Windows\system32\Bmfqngcg.exe
        107⤵
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        108⤵
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Bcpika32.exe
        
        C:\Windows\system32\Bcpika32.exe
        109⤵
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        110⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7064
        
        C:\Windows\SysWOW64\Bimach32.exe
        
        C:\Windows\system32\Bimach32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7104
        
        C:\Windows\SysWOW64\Blknpdho.exe
        
        C:\Windows\system32\Blknpdho.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7144
        
        C:\Windows\SysWOW64\Bpgjpb32.exe
        
        C:\Windows\system32\Bpgjpb32.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\Bbefln32.exe
        
        C:\Windows\system32\Bbefln32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4396
        
        C:\Windows\SysWOW64\Bfabmmhe.exe
        
        C:\Windows\system32\Bfabmmhe.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Bmkjig32.exe
        
        C:\Windows\system32\Bmkjig32.exe
        117⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Blnjecfl.exe
        
        C:\Windows\system32\Blnjecfl.exe
        118⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Cbhbbn32.exe
        
        C:\Windows\system32\Cbhbbn32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Cefoni32.exe
        
        C:\Windows\system32\Cefoni32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        123⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Cdgolq32.exe
        
        C:\Windows\system32\Cdgolq32.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:6172
        
        C:\Windows\SysWOW64\Cbjogmlf.exe
        
        C:\Windows\system32\Cbjogmlf.exe
        125⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        126⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6336
        
        C:\Windows\SysWOW64\Clbdpc32.exe
        
        C:\Windows\system32\Clbdpc32.exe
        128⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Cdjlap32.exe
        
        C:\Windows\system32\Cdjlap32.exe
        129⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Cekhihig.exe
        
        C:\Windows\system32\Cekhihig.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Cifdjg32.exe
        
        C:\Windows\system32\Cifdjg32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Cpqlfa32.exe
        
        C:\Windows\system32\Cpqlfa32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6624
        
        C:\Windows\SysWOW64\Cboibm32.exe
        
        C:\Windows\system32\Cboibm32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2448
        
        C:\Windows\SysWOW64\Cemeoh32.exe
        
        C:\Windows\system32\Cemeoh32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Clgmkbna.exe
        
        C:\Windows\system32\Clgmkbna.exe
        135⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Cdnelpod.exe
        
        C:\Windows\system32\Cdnelpod.exe
        136⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Cfmahknh.exe
        
        C:\Windows\system32\Cfmahknh.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6848
        
        C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        138⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6940
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7060
        
        C:\Windows\SysWOW64\Dmifkecb.exe
        
        C:\Windows\system32\Dmifkecb.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Dbfoclai.exe
        
        C:\Windows\system32\Dbfoclai.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Dipgpf32.exe
        
        C:\Windows\system32\Dipgpf32.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        147⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6148
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        150⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        151⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 412
        152⤵
        Program crash
        
        PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6332 -ip 6332
1⤵
PID:6496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=1288 /prefetch:8
1⤵
PID:7080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dbfoclai.exe

Filesize
404KB

MD5
f66025236ee610af3a63d19563fa0da3

SHA1
4179e23facd250ed9b3d53cfbd18b8967194eb41

SHA256
b1f98629bc6a4708f5bf79fec648a5d303b37084312e9c587828fc698179d143

SHA512
c2d42a43b8cff145bb26716be0a01761fc5172ff30f0d9c5c26c0e58b6569aad34bb240d62b646368219b3a867e906370ed1b8ec9d8601bdb6085430f583c344

Download Submit
C:\Windows\SysWOW64\Ffmnibme.dll

Filesize
7KB

MD5
abfdbef736dfa5b87cbe8d5b898709d8

SHA1
39be56ce2dfe9d43e4ee39c47a7cda30dcc584b5

SHA256
0553626a6f4a49f6aee4ac40572cb33b6a9ec5c784d611d7430c6b5734da6695

SHA512
2b9fd2ee236351385c861889c563e4266658f968ed85d5cd94b960f3daf31fc674f0025f6ada5dfe7ee306495b95cc3496c083b546fded1dc42fbc71f229c98c

Download Submit
C:\Windows\SysWOW64\Lamlphoo.exe

Filesize
404KB

MD5
76e24d1591f003745fd7d17d612d21e5

SHA1
369095843bdf2ec402bc1efec6fa5242ea7d670d

SHA256
38221f3b87ce063d93c14c97f0313d8365d8b92d9e9dd01f96d16a25163f4780

SHA512
b0a5cb152f8c27c57f9147e8f56e025673c9a79f20d38b4a26858b2cb8827d442ccbef63997dae06c90654377ceb746701a40b055d703e939b8a586872deed13

Download Submit
C:\Windows\SysWOW64\Maoifh32.exe

Filesize
404KB

MD5
1e1048265acf966c214240bd271e8bf2

SHA1
6c8f426ed52c1b5e828824df5500cb272bccf437

SHA256
db2a0c32c052ad6f5fd2c3e963ab714f3fc3ab44cccf10706df755921368cb26

SHA512
effbd7bf7fc4fe406f1f0b07be845c699db6c03682691e2db892aeb6932dbf3376f4520f1500c17fcf49240fbf52b03e9505b2c84070192431390869e3343ffc

Download Submit
C:\Windows\SysWOW64\Moalil32.exe

Filesize
404KB

MD5
1ad4d19c850447387e4d034066979830

SHA1
0378ba68c4f2ffcc405ac4d539417f7f2d351167

SHA256
e9e368d518c8108076a4f2f4c6437b7fd6eb9b42c0467494a2e5daa73db105f4

SHA512
09d4e4f51fdd1a1454b990f0cb28d4c81b5ad354abe0256a024551667715cd4620c92e74c43183079c1438dc700a18d1c5ccc52bade2955f5a56383343feeeb2

Download Submit
C:\Windows\SysWOW64\Napameoi.exe

Filesize
404KB

MD5
c57fc43d0dde37158510046704e12109

SHA1
7212f12b2f4a6ad456fcb0ef095d0163c97b7337

SHA256
ba7aeef8fea1012fece56d9e9a1b1b6686f41a45b3b975409b862ad6bc5b2de8

SHA512
9d5ca09584ccac9fe5cd1d63bdd9417bfda9aee9d691a3ce88a8c41019126b4cbbf3f1be39e3b3e35d08cd0dc1be38b6b9a8575c2857cd316fc188734b3cdaf9

Download Submit
C:\Windows\SysWOW64\Nbdkhe32.exe

Filesize
404KB

MD5
90b65825af6b060aade2084a252896f0

SHA1
3e6f934c1d8aa8c27770fb8ebffa5ccd4757b27d

SHA256
48262f9eb4db36aff55315d0fa2b0e6e63fc962cbff5b8285e964f195f84dd94

SHA512
b94223486aef95bf24a15c0ba64b88d82a1d3dd5d51cd83f86c3dd1e749ee56705224c2b7e592670b670b658d33bae6c8cb4240d8019c0f94c22aa7ee3590e60

Download Submit
C:\Windows\SysWOW64\Ncaklhdi.exe

Filesize
404KB

MD5
0b2c44ff5c965eb2689fb73981abd594

SHA1
927d4817a003abdd6adcf5259c0209b7034ba1ee

SHA256
8ff888df3eea0807863a1871edd2bb3f27ed56708cda38c8c79d8a239f4be929

SHA512
2bc07128af271b4513330ad27c96b43d7b6508537e831dd244cd97c24957e92619541e01f5126cb99ca3b4dd773ce7fa1ab07381dac883537dc4e7df79e642f7

Download Submit
C:\Windows\SysWOW64\Nchhfild.exe

Filesize
404KB

MD5
49df05ac400c88590f9675da61e4dbe6

SHA1
9142c01d5e1614ff02d5f2310a7521b230969328

SHA256
60eb66ef8ec9748166b31bd4df647f1189b7601e2b5a407908271d32b71880c3

SHA512
4ccc7598b2f4d8810966a27af4169cf17caa2896de25ead5525f4636f96b07aa00f09120d0f43a6e2a181f12fcb5707bfad1ad3457e3fffb0d6ca402ee66b168

Download Submit
C:\Windows\SysWOW64\Nconfh32.exe

Filesize
404KB

MD5
569b86c3caee7d1cbf1578d479f8e7d1

SHA1
55430820f11d755c2c853f5d2aea4cf580d67ede

SHA256
00dfbac56834ca7bc6eb953bd0f4c5fee0e22b7709572c078739a6dff62f54ae

SHA512
829ec2c2b9b145447cbcb39919945a345f36c764fa14614c159f8172db146b217d3b57d993f45a5c7c8c7dc2bf363525e2d68bd187ad792aa41d3be2b5415a5f

Download Submit
C:\Windows\SysWOW64\Nfnjbdep.exe

Filesize
404KB

MD5
92996aa7461cd37b643ed1f152eb036e

SHA1
cc6389a8b6ca82e9ce77ef03e2c20e9b2785f0a1

SHA256
9fab35a6fedb7088bdbd33638859a98af54f09cafecde3a2da851e127773de66

SHA512
b2aee0e4ffadf5cbe55eaaae475755e263c7248d7778acada33ea4d6d5d766910a651571458067c76e2c58a7044b600acce904b7b44350783c862d2cbd68e22d

Download Submit
C:\Windows\SysWOW64\Nheqnpjk.exe

Filesize
404KB

MD5
332b3a0aa2b0e590f4f9d9f3d513c9cc

SHA1
63f9bed3bc64b84368fdc50ebf8a9cc9f74fe442

SHA256
3e6ecfd29426a9ceda740c46ef1610681836d37bfce070531c8686330a86639b

SHA512
ce4c752fd032c1c4ae87d877fe80a96cd191a4e765db0b74559f99abf7d6f38b3373889b28001ec42d1df475d6dd9aaeeb8608e2cf39aede658d99e296fe6c21

Download Submit
C:\Windows\SysWOW64\Nhgmcp32.exe

Filesize
404KB

MD5
758b16087995cbed2c9802cf5eeb8a06

SHA1
ff08ebd06fe917bd6a57a0701987df838570ff26

SHA256
835f07f29463d88b73f61ac5bdb2b42131a66b0ea2a4d022a88a19bc0a909afd

SHA512
e8da6f7431f67f844434d5b5591bac81eaa7213eb01f1c1719a1753f31fbba01692b3475c66a877a19632e7c1cc68ca369640cc8cc15282ef04c1fd3f7a124b6

Download Submit
C:\Windows\SysWOW64\Nhjjip32.exe

Filesize
404KB

MD5
baad35915c3f22226f8117e2d1a90045

SHA1
ee5396b84e622d36283db2f8267420182826a7ff

SHA256
fbc59179293728153b7efdbb78edfddf19d440063e83be81515a16f163538cf8

SHA512
4bb317eeba7808ee686a93a575f5396b156c90db1da8b8e9f6876a19c30ca32f6b0a9857ece76a03231fa27e9efda8fd6eeeaf4d711caaf8668e6d68c2340dfe

Download Submit
C:\Windows\SysWOW64\Nhlfoodc.exe

Filesize
404KB

MD5
7f92d45ddedc2f2117f588f13edcc164

SHA1
08403c2c21d10fd927c478c575d512469bb273bb

SHA256
5373dd3a958f662c00fadc01dff010eed489f8009aaf471ed1eb445b47bb1ed7

SHA512
6ca84fc1de29144828327fbb3b72db73964032b702cfe8ece984f1e37ce547b2fc2c9c2b8e2b8c8e345a284a6932457b6f71b170be96873ed3844b95947b1241

Download Submit
C:\Windows\SysWOW64\Nkjckkcg.exe

Filesize
404KB

MD5
497190ae2c21abc3f3f9197b0ba61c8d

SHA1
6b35b26a65e19dfaf866f4367fd03222b52f0c9c

SHA256
30fe3b48c2e66b38adb44ce26bf2fa15513421d35ad942ffcb86d1c9938629c2

SHA512
31114cd959ff6dedf943e869e0c6c08040491542b2eb7f42ee37ae9ffee80d9315dcaf7c2400b4d25a9c2da54e556f8444d24e88f7211943713f6cd86ead877d

Download Submit
C:\Windows\SysWOW64\Nlnpio32.exe

Filesize
404KB

MD5
95307649728c464682722d0d358a7c58

SHA1
762cee7b3d756b0f78951ad8051d8c620610d145

SHA256
72bdc169c32528c466affdece4ad9dd7b62e2c99f08c9c906ec22ef01b877a32

SHA512
1aaa7ef1d4a7bcef1b4f86980c17fcd359e37cacd191774912a40f762fd6e07b91b94b8faba443108801a39bb56b14293043efab156deb3f1dc2e9d94b5bc960

Download Submit
C:\Windows\SysWOW64\Nooikj32.exe

Filesize
404KB

MD5
f2668a95ae4483c55541d7f2d5d94001

SHA1
a4927cfb945a76c24f46ab1c41c32ad0fbfc8f00

SHA256
f868fc8a0359fea28c0d859a6964b3f5df18ceb809c5ba54a48862088d8bf7ff

SHA512
41361c790e9dfa8cf694e483da610378931fa5fdaa79a750482848ec6eff705e6496285ac123a8a59b4a62f56bba5389ea16c55059732f8b9b4e89d190479eac

Download Submit
C:\Windows\SysWOW64\Obidcdfo.exe

Filesize
404KB

MD5
40e8b96ba21b17d64993e049bb041e97

SHA1
3ef26a454a12dab2743be4d2f5fc92a56576168b

SHA256
596360036413abec97448b0e98f4518bc6c93f32dbef80b09a9b4a30475a9ddf

SHA512
5e9966cd0a113c3ff13e21f751c6466d2178fdc238a5f0d3094e34e33acf4d3ec0ac835945f555b19eb648f4709da987c9ce35cc67aff60133096b7977c3da0f

Download Submit
C:\Windows\SysWOW64\Ocdgahag.exe

Filesize
404KB

MD5
b16b17c1e4dc5a9df7ef524ddd56a0a1

SHA1
e1b9d6d025fccc5b90c17088b12603edbfe21f7d

SHA256
cbc53fa48ae1c153ebaf75f7197f879666130bb427192c03922102c8b0ea4366

SHA512
e42373c007614c2241065b0dbf25ab41bbe2c3e16c5461e3f040b0626963423eff03c6ebb54a7877edf6ce098a9aa7a6146921856631327757344de6af1a98e4

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
404KB

MD5
202eaca965a314724f731b67fd128c58

SHA1
99a4a0c55dede33241f2b583c02e8ebeaa53eb0f

SHA256
e8489e9e19a91d5bcac0866e91abfa50444781020658b3427b9ba2a03f056c98

SHA512
6733c92a7ef770a5f750d330ca26b7bf0e14e38837f6eb6be0bdbff56909a6c4d930987bc02c6ba93f53b1d3e4853f13aae89e2d2bb14ef0f36c58273145142c

Download Submit
C:\Windows\SysWOW64\Ochamg32.exe

Filesize
404KB

MD5
b37ac69580e75f980dfcff790a49c5c1

SHA1
4db287da0484b6b528400d569cba46a817b493cd

SHA256
cb9933894dcb0a533500da069105013ba94b80115bb6253ac981ebef37162d35

SHA512
fc66630b318589e0333181648aa899fbfef7f0ced1e93690bd82dc41705cbafd7227441ec7161e8c536bf8976096b07c3706a4fcccaa27a6d3441a0d1d3b46f8

Download Submit
C:\Windows\SysWOW64\Odbgdp32.exe

Filesize
404KB

MD5
e27f8f896b3479c5e263f9c470964eda

SHA1
8d51f8b7533696bf5cd383fe4bc88cefc014d680

SHA256
5a126d3e00f9c17f9b57cdb357e6ed4be8f025001ac406072ddeb5623f7279ea

SHA512
784a914987eb9f1a69da7dcf7d6f0a82c71a9cb8df19f9110206232ac59e54de37593db1d73e4de0dfb19786a922c7377dd4a4053769accb8d635ca96004479b

Download Submit
C:\Windows\SysWOW64\Odedipge.exe

Filesize
404KB

MD5
427e856fdb0eb8a204a0404fd3fccd68

SHA1
241902f18983445f65fb3057954e7eb704f4a9af

SHA256
7385b73b879b87eb8d1b1fa009eacb15eca3ee525b47e8d81386e1356e002eca

SHA512
8e66db4dc8d46c7b05a1c497dd019072982e005772a5ecf82e9392c7985d9b584977924c86c52bc308c8c318bd474810327ab51d3e2d53e63db6ca896a9f8c70

Download Submit
C:\Windows\SysWOW64\Odgqopeb.exe

Filesize
404KB

MD5
bc94b35a6924c28f26ffb5fbc9841b0c

SHA1
1209a9906c1e6ea226238fede33164abe7e44147

SHA256
dd9907375556be352d498ae27852eb1166937c01fbeae5af320b54b93f68c771

SHA512
325a82b39f7a813d45a7258fce22def116415a7e9b345d56e11658c782cb996342196ede5abe74f94c9818fd13e0966bc6e771474c223ede6539fa03c5767235

Download Submit
C:\Windows\SysWOW64\Ofbdncaj.exe

Filesize
404KB

MD5
d625ff0204963b4444d4cf2014a219c9

SHA1
e527dd1f50a76600c818c12c2648d258b6de743e

SHA256
8f70591dcfc6dc1bbc91b36c2abcdf2bc51d5767183eb0e9b36ad6d265e700b7

SHA512
04d97f46c69b911b4a7d919591da8551ce65351a7cd744405e5e75415d09c1230e1d641b8df5f53b7803e8dbf28a51eab0f87da27db349a6a10f731df9265ec6

Download Submit
C:\Windows\SysWOW64\Ofdqcc32.exe

Filesize
404KB

MD5
4319d8f6e933cf40a5a4b4eda84fe41e

SHA1
a4f5a138d42c158fc93a0f3d0c9fe8ba5f779d29

SHA256
6354ebe552b1e0634a72836106565cf2a43df2e89009ddb6a5d7fcfc17bee294

SHA512
77229b4e33b340ea03edc088be9f12d9b8f81bb7726e96bf1639a5eb12c7d6ea28942d26735602ede586de722efcb847088c66460a92a409914dfc5c23e8e480

Download Submit
C:\Windows\SysWOW64\Ohncdobq.exe

Filesize
404KB

MD5
31a417158d298e3815f7c16c43d21548

SHA1
8921b7bc1abb90f3a1e39eff0f89ef2f8069a3d8

SHA256
2756891a7c3f5faaeeb45de1949727086717efa336e1793145b922ee562d7083

SHA512
9faf6ba5bc145107d98829cc581dfa24be284a5d6ddbb423332458e03ad4ae54bb37afb315603742cd0cee623b9aed982bdb91632054f4c70e2ddb986d5d3115

Download Submit
C:\Windows\SysWOW64\Okmpqjad.exe

Filesize
404KB

MD5
00a4f399ee945bf0aea00a024616e9cd

SHA1
a9f43ee3645fbc308dabcdfd4127a79e46cb3b5b

SHA256
505415a36255f0c8b8db08e485bdda433ea3aba0b7e601f10eaaeb7d59e829fa

SHA512
e7f074becc39c1a562568f7d88fe22aca0b22dfdbebdcf9395810c921bf4deda852758db322ae35f92701b49218b119ae9ddb478dca11455ac19fc3df61d9a17

Download Submit
C:\Windows\SysWOW64\Okolfj32.exe

Filesize
404KB

MD5
58c70d8ff830dac5b8eb9da90e73f242

SHA1
62b9cbf887cf0d888cf5b8856ffa566e855fcf2c

SHA256
927e5007264b80e4cf889482dd44110558c05e1636d40ec3e2b17af4a82d8f92

SHA512
d4ff62ac09ee105972bbca449ab66b58947cb529e10d75f730fbe582254504ee88e80d4210c26ad7d0d1344df69c9f37e1a937de1c6413fc20f3caa1503b811a

Download Submit
C:\Windows\SysWOW64\Ollljmhg.exe

Filesize
404KB

MD5
5f31e371fb6535f401dffea9adaf47c8

SHA1
d7efa7243251c41212309ffd29d4aa6ecb81527e

SHA256
b0f50e2a339bbcb413e10593885ef4188c23b131141e007d0628d8b3304aa5e8

SHA512
887dfa81482e1b24ee3cf1c74774a6bf8f28031c92c4ab0878ef1b62721316e5f59992ed94e62753d2c53825db7561d8ccaad98695f5a6b1247d033fccbfc0fa

Download Submit
C:\Windows\SysWOW64\Oloipmfd.exe

Filesize
404KB

MD5
0deecc11434cbecefe63f3b4e34dbc60

SHA1
154d8d24928fec32acac1b9dc7c721f05913f70b

SHA256
60b725d0bec27c5a90c4399b27b8f1e5210a4a1e85d18007847588d78313d0fc

SHA512
62b9b0469f5e9b1b44e7681e48fd254db57ed889f697f3f1687bfaf05c8604f59f09381c388994d5944cf18173d5b64127745c231ad69a75215c1f148b808a0a

Download Submit
C:\Windows\SysWOW64\Oohkai32.exe

Filesize
404KB

MD5
0e1b4aa1d534793a968a07e263035498

SHA1
8436761bfdffed80bda2cc7b82e05d3f06319015

SHA256
33896bb4174e57a14c5b62ae546d270a3a73bc104a67d3f91bed9be6af3b8516

SHA512
eb15e0845ea417dd550be13d757f05a6493ced227aad7cecc15ef6979f711b176b80ee89debae2f9abfbbef8f1039d8f80b8037de22918eb586c858c2baf648b

Download Submit
C:\Windows\SysWOW64\Oomelheh.exe

Filesize
404KB

MD5
b3fe9686dcc4b1885f2b55525e86063b

SHA1
1a4fb46415b52111c553ad3ccfda0f1a1a96e041

SHA256
7d5a10ead79f97cca204227bc187cc3a9d7c5b28ca14f4ae6deb34bce80355c4

SHA512
c45fa5657ef0e7c276c56c7ea51a1f4deb6381a58c5edaa0c4ef83c74eca4bf272b6169e556f2f600729ab86fd1cd7269003dd52bee3525704500fcfa4434a8c

Download Submit
memory/512-583-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/648-529-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/764-481-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/916-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1056-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1132-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1132-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1212-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1684-577-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1864-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1880-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1880-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-571-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2400-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2472-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2652-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-84-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-102-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-535-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3192-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3288-86-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3300-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3300-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3500-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3548-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3704-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3796-541-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3940-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4144-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4340-174-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4392-487-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4460-475-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4544-147-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4544-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-182-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4964-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4992-469-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5016-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5072-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5160-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5196-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5244-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5260-493-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5284-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5316-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5332-499-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5364-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5400-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5412-505-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5436-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5468-511-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5476-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5524-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5556-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5572-517-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5596-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5628-523-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5636-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5684-379-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5720-385-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5756-391-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5804-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5836-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5864-547-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5876-409-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5916-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5948-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5956-421-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6004-427-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6028-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6036-433-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6076-439-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6100-565-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6116-445-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads