f84c8c34e4fda01196ffa983d3ad8587e4a8bf499213968f68d8b9cb8720a1cb

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f84c8c34e4fda01196ffa983d3ad8587e4a8bf499213968f68d8b9cb8720a1cb.exe
Size

368KB
MD5

c721f72fdc44b2892c0e21ac507c556d
SHA1

0ed3ea51f9c0172e89e785f2d070467117d71104
SHA256

f84c8c34e4fda01196ffa983d3ad8587e4a8bf499213968f68d8b9cb8720a1cb
SHA512

e53994d54318b314f20f8128d087b8c8e096590403d2f67ca7d8e666556982b4fa05aab0bdc9860d4f42bced2f585251cc6e47e218221a1ebb50936ef5233eb2
SSDEEP

6144:BsptkbMXLqZulTjZXvEQo9dfJBEdKFckUQ/4TIHD4xutM3VOEIuV5t6R+0I/Vzoh:O7kbsLnT9XvEhdfJkKSkU3kHyuaRB5tC

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmeoqlpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nomlek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obidcdfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mociol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oooaah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Piolkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qifbll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkklbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f84c8c34e4fda01196ffa983d3ad8587e4a8bf499213968f68d8b9cb8720a1cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlgjhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nomlek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhknhabf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlcidopb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjckkcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nooikj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	f84c8c34e4fda01196ffa983d3ad8587e4a8bf499213968f68d8b9cb8720a1cb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mociol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pecpknke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odbgdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Okolfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odbgdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaekg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmeoqlpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlgjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhknhabf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Obpkcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pecpknke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nooikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjckkcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okolfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oooaah32.exe

Executes dropped EXE 34 IoCs

pid	Process
396	Mociol32.exe
4560	Maaekg32.exe
4740	Mhknhabf.exe
4224	Mlgjhp32.exe
4808	Mojopk32.exe
2120	Nlnpio32.exe
4952	Nomlek32.exe
3780	Nooikj32.exe
4380	Nlcidopb.exe
948	Ncmaai32.exe
828	Nocbfjmc.exe
3688	Nkjckkcg.exe
2432	Odbgdp32.exe
876	Obfhmd32.exe
636	Okolfj32.exe
4004	Obidcdfo.exe
832	Oloipmfd.exe
1268	Oooaah32.exe
2812	Obnnnc32.exe
768	Obpkcc32.exe
1988	Pmeoqlpl.exe
2808	Pcpgmf32.exe
868	Pkklbh32.exe
2960	Pcbdcf32.exe
4712	Pecpknke.exe
1444	Piolkm32.exe
3184	Pfeijqqe.exe
4500	Pkabbgol.exe
3172	Qifbll32.exe
4804	Qbngeadf.exe
3704	Qkfkng32.exe
3092	Aijlgkjq.exe
3616	Afnlpohj.exe
1292	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Balodg32.dll	Mhknhabf.exe
File created	C:\Windows\SysWOW64\Obidcdfo.exe	Okolfj32.exe
File opened for modification	C:\Windows\SysWOW64\Nomlek32.exe	Nlnpio32.exe
File created	C:\Windows\SysWOW64\Bhejfl32.dll	Mlgjhp32.exe
File created	C:\Windows\SysWOW64\Nocbfjmc.exe	Ncmaai32.exe
File created	C:\Windows\SysWOW64\Obnnnc32.exe	Oooaah32.exe
File created	C:\Windows\SysWOW64\Pbgnqacq.dll	Oooaah32.exe
File created	C:\Windows\SysWOW64\Fflnkhef.dll	Pcpgmf32.exe
File opened for modification	C:\Windows\SysWOW64\Mhknhabf.exe	Maaekg32.exe
File created	C:\Windows\SysWOW64\Pkklbh32.exe	Pcpgmf32.exe
File opened for modification	C:\Windows\SysWOW64\Oooaah32.exe	Oloipmfd.exe
File opened for modification	C:\Windows\SysWOW64\Pcpgmf32.exe	Pmeoqlpl.exe
File created	C:\Windows\SysWOW64\Aknmjgje.dll	Aijlgkjq.exe
File opened for modification	C:\Windows\SysWOW64\Nlnpio32.exe	Mojopk32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjckkcg.exe	Nocbfjmc.exe
File opened for modification	C:\Windows\SysWOW64\Afnlpohj.exe	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Mlgjhp32.exe	Mhknhabf.exe
File opened for modification	C:\Windows\SysWOW64\Nlcidopb.exe	Nooikj32.exe
File created	C:\Windows\SysWOW64\Pcpgmf32.exe	Pmeoqlpl.exe
File opened for modification	C:\Windows\SysWOW64\Pfeijqqe.exe	Piolkm32.exe
File opened for modification	C:\Windows\SysWOW64\Qifbll32.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Oijflc32.dll	Pmeoqlpl.exe
File created	C:\Windows\SysWOW64\Nooikj32.exe	Nomlek32.exe
File opened for modification	C:\Windows\SysWOW64\Nooikj32.exe	Nomlek32.exe
File created	C:\Windows\SysWOW64\Bdhfnche.dll	Ncmaai32.exe
File created	C:\Windows\SysWOW64\Nkjckkcg.exe	Nocbfjmc.exe
File opened for modification	C:\Windows\SysWOW64\Obpkcc32.exe	Obnnnc32.exe
File opened for modification	C:\Windows\SysWOW64\Maaekg32.exe	Mociol32.exe
File created	C:\Windows\SysWOW64\Nlnpio32.exe	Mojopk32.exe
File created	C:\Windows\SysWOW64\Nlcidopb.exe	Nooikj32.exe
File created	C:\Windows\SysWOW64\Hfdgep32.dll	Obidcdfo.exe
File created	C:\Windows\SysWOW64\Aijlgkjq.exe	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Edkakncg.dll	Nooikj32.exe
File created	C:\Windows\SysWOW64\Daphho32.dll	Nlcidopb.exe
File opened for modification	C:\Windows\SysWOW64\Nocbfjmc.exe	Ncmaai32.exe
File created	C:\Windows\SysWOW64\Gbbqmiln.dll	Nkjckkcg.exe
File opened for modification	C:\Windows\SysWOW64\Pcbdcf32.exe	Pkklbh32.exe
File created	C:\Windows\SysWOW64\Okolfj32.exe	Obfhmd32.exe
File opened for modification	C:\Windows\SysWOW64\Aijlgkjq.exe	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Mhknhabf.exe	Maaekg32.exe
File opened for modification	C:\Windows\SysWOW64\Ncmaai32.exe	Nlcidopb.exe
File opened for modification	C:\Windows\SysWOW64\Okolfj32.exe	Obfhmd32.exe
File created	C:\Windows\SysWOW64\Ohpcjnil.dll	Oloipmfd.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Hmmppdij.dll	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Maaekg32.exe	Mociol32.exe
File opened for modification	C:\Windows\SysWOW64\Odbgdp32.exe	Nkjckkcg.exe
File opened for modification	C:\Windows\SysWOW64\Obfhmd32.exe	Odbgdp32.exe
File created	C:\Windows\SysWOW64\Oooaah32.exe	Oloipmfd.exe
File created	C:\Windows\SysWOW64\Pecpknke.exe	Pcbdcf32.exe
File created	C:\Windows\SysWOW64\Mojopk32.exe	Mlgjhp32.exe
File opened for modification	C:\Windows\SysWOW64\Mlgjhp32.exe	Mhknhabf.exe
File created	C:\Windows\SysWOW64\Nomlek32.exe	Nlnpio32.exe
File opened for modification	C:\Windows\SysWOW64\Pkabbgol.exe	Pfeijqqe.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Jfbnnelf.dll	Nomlek32.exe
File created	C:\Windows\SysWOW64\Kmqbkkce.dll	Okolfj32.exe
File created	C:\Windows\SysWOW64\Cieonn32.dll	Pkklbh32.exe
File opened for modification	C:\Windows\SysWOW64\Qbngeadf.exe	Qifbll32.exe
File created	C:\Windows\SysWOW64\Ncmaai32.exe	Nlcidopb.exe
File created	C:\Windows\SysWOW64\Lchfjc32.dll	Odbgdp32.exe
File created	C:\Windows\SysWOW64\Obpkcc32.exe	Obnnnc32.exe
File created	C:\Windows\SysWOW64\Mociol32.exe	f84c8c34e4fda01196ffa983d3ad8587e4a8bf499213968f68d8b9cb8720a1cb.exe
File created	C:\Windows\SysWOW64\Lggfcd32.dll	Maaekg32.exe

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maaekg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okolfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oooaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhknhabf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nooikj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oloipmfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f84c8c34e4fda01196ffa983d3ad8587e4a8bf499213968f68d8b9cb8720a1cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlgjhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcidopb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnpio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnnnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmeoqlpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkklbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecpknke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjckkcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odbgdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obidcdfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mociol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nocbfjmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obfhmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nomlek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qifbll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmaai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obpkcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfeijqqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijlgkjq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emnhomim.dll"	Mociol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balodg32.dll"	Mhknhabf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nomlek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlpkg32.dll"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mociol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odbgdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmppdij.dll"	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maaekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdfnq32.dll"	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Okolfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlgjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknmjgje.dll"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nooikj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhknhabf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchfjc32.dll"	Odbgdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgnqacq.dll"	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mojopk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkjom32.dll"	Qifbll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	f84c8c34e4fda01196ffa983d3ad8587e4a8bf499213968f68d8b9cb8720a1cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijbed32.dll"	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdgep32.dll"	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbndhppc.dll"	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoeiajc.dll"	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhfnche.dll"	Ncmaai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fflnkhef.dll"	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Piolkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mociol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhejfl32.dll"	Mlgjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkakncg.dll"	Nooikj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijflc32.dll"	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnmfk32.dll"	Mojopk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmeoqlpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	f84c8c34e4fda01196ffa983d3ad8587e4a8bf499213968f68d8b9cb8720a1cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlgjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhegoin.dll"	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nomlek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odbgdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjckkcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbqmiln.dll"	Nkjckkcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkklbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonhbi32.dll"	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcpgmf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 396	3312	f84c8c34e4fda01196ffa983d3ad8587e4a8bf499213968f68d8b9cb8720a1cb.exe	90
PID 3312 wrote to memory of 396	3312	f84c8c34e4fda01196ffa983d3ad8587e4a8bf499213968f68d8b9cb8720a1cb.exe	90
PID 3312 wrote to memory of 396	3312	f84c8c34e4fda01196ffa983d3ad8587e4a8bf499213968f68d8b9cb8720a1cb.exe	90
PID 396 wrote to memory of 4560	396	Mociol32.exe	91
PID 396 wrote to memory of 4560	396	Mociol32.exe	91
PID 396 wrote to memory of 4560	396	Mociol32.exe	91
PID 4560 wrote to memory of 4740	4560	Maaekg32.exe	92
PID 4560 wrote to memory of 4740	4560	Maaekg32.exe	92
PID 4560 wrote to memory of 4740	4560	Maaekg32.exe	92
PID 4740 wrote to memory of 4224	4740	Mhknhabf.exe	93
PID 4740 wrote to memory of 4224	4740	Mhknhabf.exe	93
PID 4740 wrote to memory of 4224	4740	Mhknhabf.exe	93
PID 4224 wrote to memory of 4808	4224	Mlgjhp32.exe	95
PID 4224 wrote to memory of 4808	4224	Mlgjhp32.exe	95
PID 4224 wrote to memory of 4808	4224	Mlgjhp32.exe	95
PID 4808 wrote to memory of 2120	4808	Mojopk32.exe	96
PID 4808 wrote to memory of 2120	4808	Mojopk32.exe	96
PID 4808 wrote to memory of 2120	4808	Mojopk32.exe	96
PID 2120 wrote to memory of 4952	2120	Nlnpio32.exe	98
PID 2120 wrote to memory of 4952	2120	Nlnpio32.exe	98
PID 2120 wrote to memory of 4952	2120	Nlnpio32.exe	98
PID 4952 wrote to memory of 3780	4952	Nomlek32.exe	99
PID 4952 wrote to memory of 3780	4952	Nomlek32.exe	99
PID 4952 wrote to memory of 3780	4952	Nomlek32.exe	99
PID 3780 wrote to memory of 4380	3780	Nooikj32.exe	100
PID 3780 wrote to memory of 4380	3780	Nooikj32.exe	100
PID 3780 wrote to memory of 4380	3780	Nooikj32.exe	100
PID 4380 wrote to memory of 948	4380	Nlcidopb.exe	101
PID 4380 wrote to memory of 948	4380	Nlcidopb.exe	101
PID 4380 wrote to memory of 948	4380	Nlcidopb.exe	101
PID 948 wrote to memory of 828	948	Ncmaai32.exe	102
PID 948 wrote to memory of 828	948	Ncmaai32.exe	102
PID 948 wrote to memory of 828	948	Ncmaai32.exe	102
PID 828 wrote to memory of 3688	828	Nocbfjmc.exe	103
PID 828 wrote to memory of 3688	828	Nocbfjmc.exe	103
PID 828 wrote to memory of 3688	828	Nocbfjmc.exe	103
PID 3688 wrote to memory of 2432	3688	Nkjckkcg.exe	105
PID 3688 wrote to memory of 2432	3688	Nkjckkcg.exe	105
PID 3688 wrote to memory of 2432	3688	Nkjckkcg.exe	105
PID 2432 wrote to memory of 876	2432	Odbgdp32.exe	106
PID 2432 wrote to memory of 876	2432	Odbgdp32.exe	106
PID 2432 wrote to memory of 876	2432	Odbgdp32.exe	106
PID 876 wrote to memory of 636	876	Obfhmd32.exe	107
PID 876 wrote to memory of 636	876	Obfhmd32.exe	107
PID 876 wrote to memory of 636	876	Obfhmd32.exe	107
PID 636 wrote to memory of 4004	636	Okolfj32.exe	108
PID 636 wrote to memory of 4004	636	Okolfj32.exe	108
PID 636 wrote to memory of 4004	636	Okolfj32.exe	108
PID 4004 wrote to memory of 832	4004	Obidcdfo.exe	109
PID 4004 wrote to memory of 832	4004	Obidcdfo.exe	109
PID 4004 wrote to memory of 832	4004	Obidcdfo.exe	109
PID 832 wrote to memory of 1268	832	Oloipmfd.exe	110
PID 832 wrote to memory of 1268	832	Oloipmfd.exe	110
PID 832 wrote to memory of 1268	832	Oloipmfd.exe	110
PID 1268 wrote to memory of 2812	1268	Oooaah32.exe	111
PID 1268 wrote to memory of 2812	1268	Oooaah32.exe	111
PID 1268 wrote to memory of 2812	1268	Oooaah32.exe	111
PID 2812 wrote to memory of 768	2812	Obnnnc32.exe	112
PID 2812 wrote to memory of 768	2812	Obnnnc32.exe	112
PID 2812 wrote to memory of 768	2812	Obnnnc32.exe	112
PID 768 wrote to memory of 1988	768	Obpkcc32.exe	113
PID 768 wrote to memory of 1988	768	Obpkcc32.exe	113
PID 768 wrote to memory of 1988	768	Obpkcc32.exe	113
PID 1988 wrote to memory of 2808	1988	Pmeoqlpl.exe	114

C:\Users\Admin\AppData\Local\Temp\f84c8c34e4fda01196ffa983d3ad8587e4a8bf499213968f68d8b9cb8720a1cb.exe
"C:\Users\Admin\AppData\Local\Temp\f84c8c34e4fda01196ffa983d3ad8587e4a8bf499213968f68d8b9cb8720a1cb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Windows\SysWOW64\Mociol32.exe
  C:\Windows\system32\Mociol32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\SysWOW64\Maaekg32.exe
    C:\Windows\system32\Maaekg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\SysWOW64\Mhknhabf.exe
      C:\Windows\system32\Mhknhabf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Windows\SysWOW64\Mlgjhp32.exe
        
        C:\Windows\system32\Mlgjhp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
      - C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4128,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
1⤵
PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aijlgkjq.exe

Filesize
368KB

MD5
2b15951b7209036ab6a228103f9977d2

SHA1
751cc600c7602117935592ae8b87e79115622406

SHA256
b1a24fb6b80c93fe56ab1319dddae2ca6adbfe29c3ba4a3c798e63f104045f8e

SHA512
73e269dc8a35288625a2836a76ab510917dc90e0440b04190b6c48aeab025896cddae4bfdafdeca26250e57b89f37f4e161de75456e9135e6fc71489ea3ae8ac

Download Submit
C:\Windows\SysWOW64\Bhejfl32.dll

Filesize
7KB

MD5
3299c1f0d605e8887a1c145593bab695

SHA1
20ce77a87a7a33fa7e6cd7fddb2747d70c80197d

SHA256
683d61b692ff10388ed5382e878fac60ffee9e957c5586fae1da38e502359d5c

SHA512
1d5933e3c06a75ce762439e88dca6c0abbf3f47f97934293a6c04d642b67f241efccb35540075f55658dfc374b050e21bad8f3f1b70e973a8ecbc1d173d7372b

Download Submit
C:\Windows\SysWOW64\Maaekg32.exe

Filesize
368KB

MD5
677000049dddda52e531e0274753e07b

SHA1
dcd9fe8bb4bcc415244a9643729cd1a51b4cab45

SHA256
2bf8402f21579ea45ffbcfb78427a0b6ac13ff54fd32542f77692a6c428528f3

SHA512
db294a36f83a8efb59afa9c589e93c5a8b477b2fcef3f8dbd7560778ef1aeaa3cc660e6f4a9ffe68016f62f115c893df27e81421f20f06cd230860afd8f63846

Download Submit
C:\Windows\SysWOW64\Mhknhabf.exe

Filesize
368KB

MD5
59274d2609575db02d693694bf779894

SHA1
d356d227e5ff50cdfad5e1366ee29f947c9a93a5

SHA256
82ca8df39322dd61912efab8a9748ff6b07d0eaf0daf571c6c45f6a921471f50

SHA512
0dad5162c42111b983777dae5387daa59aecee5d59095bf4391252dac8b01f77598e44852bc6b33916e468cfbb5373649808762f8aca1cdf38d46f3787676efd

Download Submit
C:\Windows\SysWOW64\Mlgjhp32.exe

Filesize
368KB

MD5
45fd19768935f2224132debeb4cb5e3e

SHA1
21fb1f80b59836e3c0211e84058bd29afb5a7e03

SHA256
0e56f5201c8042789899ea5bd665fd60fbb51cc57ded3fbf584564e5f171facc

SHA512
a81f475b0d3dae293e3c8f99c5547499d5f6385e224a16e90a1dfc99e14eea919631706aabbf90f942cb9367fe6bd89b28ac6522769a64d34d15d5f49a788b59

Download Submit
C:\Windows\SysWOW64\Mociol32.exe

Filesize
368KB

MD5
3e1c4b9c3975a3659ae11a00f3337b7a

SHA1
41f1939bb358a9f62863af509b69f7e81ee8235e

SHA256
3d572eacd4d5eb42ec3cb1011a9d60776631b16204b3ed87294277eccc984911

SHA512
5a8fbe33582e83029a6e451e4f0a83f942a7373b920d498be36e17be7ec23d3255f57b9f80bf6c6daef266a23001640af0b1d3176985b664f2b4515343527433

Download Submit
C:\Windows\SysWOW64\Mojopk32.exe

Filesize
368KB

MD5
ba1fc9b2b42fb2eb136c791b0c6befb7

SHA1
6394a223eaab952ca2ee76a25ee9d237457d6f76

SHA256
7c64c1b6a4bc011155e62233893250addff4c5585448eade54be169aaf83e223

SHA512
d3868d7ad206cfe06cd145693a74168133bb30389b7702cd6a30e5887527c77ac4d26658a937af02244b762548887bbdf1ce9fbca4a27c9774fe2b403389e261

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
368KB

MD5
0882266262044e395f1156dae1d49267

SHA1
a2800e90ff22bfbd13b8fb8e8b1789ebf94309e6

SHA256
c54388928cc608b3940bc70efad20152916161b0f912b2900b8aae0fa71dd1dd

SHA512
f95db03b03288cb4c290fbb3bb9f7cb045b82d03fd2df23e3859021635973a3cf43940bff0071c4933c10df202d4eac53f88959fa64077569e04d1f0553a2928

Download Submit
C:\Windows\SysWOW64\Nkjckkcg.exe

Filesize
368KB

MD5
c490feeecfc7c0fc40e96f4732c4e1f1

SHA1
c971cf6276311c92d9ac0ce6f831ed9615cc737e

SHA256
4008d68a23b8df79fb8bb9a58a697cdb400f8fbcda0140d454eb2fce36b7643c

SHA512
ee7200a8dcd1216af8945397dd30a2a02dd7ca443fc1a16669dedee90be387ff3f0f24bcd1384f06a2d2b816e8488d642ebade702c3ab665ecf2d4b15206f0f4

Download Submit
C:\Windows\SysWOW64\Nlcidopb.exe

Filesize
368KB

MD5
6454b8726be790d16f4d1da3c1c586c5

SHA1
87baca5619f2592f29ff8f273d723baecda29942

SHA256
6808b122f84d730f05e6e61e66b2506ee35024c16c224c098df0ee1bf93846be

SHA512
e0b40195db67eab406d5c8c161ddb030534e0512fcee72b16c3d16b381aae5143c6620d2b5f82266b66c267d4430bc4b3a2553de56557f1c62addafdf6b1520b

Download Submit
C:\Windows\SysWOW64\Nlnpio32.exe

Filesize
368KB

MD5
593e16ae93e7a2a6cd26c0c5e3854c41

SHA1
189e30c1f5367a41f9477f9b20cbafa06582d921

SHA256
34291661cbc5ed25a9a0c49ddb704878066a366d6a0a6a491e9c1dab0c761b5a

SHA512
7d95d72277672e965c7670dd11ebd3fdafc0ad26a98e5f565401b3942499171124ca8e796fdda8f4a230d6b5559fea73601e8f4e8bed6a49549b8c1c7fb76e48

Download Submit
C:\Windows\SysWOW64\Nocbfjmc.exe

Filesize
368KB

MD5
9b0c492e4502bbf544c081e0df6f116c

SHA1
0053ab5f04d58e99cbacb7478bd7d65906993cfa

SHA256
3ac179c1f59c63c30982074c942a90c0392588c53fc0e590dc766c1df74821fd

SHA512
5cfa8be9199629f0b36c289e71de4b015e002216b8508cf0519838e0c7f5179887a857d9ba9f6acb53dd35efb9c0774274a09e8b4aa4d4c2b0bb97f8d6f128a6

Download Submit
C:\Windows\SysWOW64\Nomlek32.exe

Filesize
368KB

MD5
a9d2c8da23d063b0b64b7fa736dcddf2

SHA1
4e467bff23221dd52725880db27086fbc158876e

SHA256
9d614c7e67443955f563093ff6e160e5bda4f4d9c984a1c4a69c9df567101bc2

SHA512
8ed6ec9326f104ffd245b84fcc62d5da66986eecdced0e669db417d2d3490cbd77fc5be8c6e60729c1ba11065345dd23e0ee538b3009cbd838787d6ca46b9970

Download Submit
C:\Windows\SysWOW64\Nooikj32.exe

Filesize
368KB

MD5
6dfc3958e1962546054a12360c916b0e

SHA1
7c174d26111b16b59b8adb85074d723ec3f9ceff

SHA256
72a7ed8aa90767754f848006499e84e52b6154f8cd780b8df52c9c2cf17329db

SHA512
6bf38feb555a6ba14aa6308de805349c66635b39c5d05d3d3bd406428734ef81e0c64523931ba1323cf46866a462e8991556d36a3f97cc591c1f730d5fd3be94

Download Submit
C:\Windows\SysWOW64\Obfhmd32.exe

Filesize
368KB

MD5
a51dc2087403882b656e5d0baa87f193

SHA1
78e1a5274d25fac3ab3690b0b455a06fb6c92670

SHA256
644bb5766f13c77ac3dbfa4af1ce81600d388de61d988bcdadb9768a201eccba

SHA512
32e6c04a86194d0e8468f9d587fdbf81259432005164b32ef33523df67c3fae040808a4c8ddf1dbd6f086fd8f6437412ebbe1561199d808802c7fac1807e580f

Download Submit
C:\Windows\SysWOW64\Obidcdfo.exe

Filesize
368KB

MD5
85a2f8d516063694162138a929026286

SHA1
de46c0082ec9f8275dd00d85797c796ba3faad69

SHA256
49294b7c0bbf64557e3898eab6e30c0b8c42e20ea9d589487fa394440a07720c

SHA512
3a8625ecdb25509ef701a499500bf0cd02ed4e8bc833272b95821ff3d370a0eefb1bd405aca88f86081b11429690b4da0e867160f382237e556ef24219940966

Download Submit
C:\Windows\SysWOW64\Obnnnc32.exe

Filesize
368KB

MD5
1b511c551c1cb3e06bfa65f3cf2e49c4

SHA1
58ec1bf1a88f100b75f9612d1ea10d2cd6c89d1c

SHA256
21811c59c83001b6f20ea2849db04666d595e1c50fab1f169718517dcc6d5bae

SHA512
6a033507fa47bb306f8f5e01cd1b836904d09c87f8fb5e080352d69cf5958d39c597c7e6d0be9a67310872ba7ee4e469f239da32eb876a8d232b03af8930aa7a

Download Submit
C:\Windows\SysWOW64\Obpkcc32.exe

Filesize
368KB

MD5
8e713d23a56220cfdd381b5bd0427fbe

SHA1
4cf38e7ad04095f3f5f8ce1b34029f6bbdc0ec65

SHA256
ff6069a01c9fd794ce9cf3660d5e5cab7e4244edec08e3d5c924c7d782b1e66e

SHA512
a1328a88c2dc5a6b0bdecf520ef1e9e7f2364cfba400d4820cdc44424cd9f0ce306bbf88c763cfb8f75333c888183a4025d97c51b06cd611e0d2f6c768b2ed45

Download Submit
C:\Windows\SysWOW64\Odbgdp32.exe

Filesize
368KB

MD5
cb0f71a13ef8c6da53d2fc9483374fe3

SHA1
f7c741de5b5bc17defcc128bad61bf65204ca0f2

SHA256
970f638d96863975dd68d10d332d8e62bfbac059ec2b8a056e29492fa0e8f97f

SHA512
6dac3aefb06503650dac3bd2de31f732668e88fab8cf9a073f874e26090f9159d536c8864c8bb696453e19d0408f3e2cb1338b0ab54eff44374e621d2dd17c4e

Download Submit
C:\Windows\SysWOW64\Okolfj32.exe

Filesize
368KB

MD5
4672256ec7cbad4e05df6db6aa09a4e9

SHA1
9060b17fc5e5d91f57556b671c03ea94b8b44562

SHA256
408f2e297961cbdf5dc8dc122e3fc3b7b2b7a5a4e9cf5ea5fe37ee284fd0c4ef

SHA512
152250aa7698042a2f1d5aabaafef6c01814f66c688bace5e934f47c2bfc23049254a97ebc007a65123aff06fe70d7ef40c5afa8da0fe7182167e6833631166a

Download Submit
C:\Windows\SysWOW64\Oloipmfd.exe

Filesize
368KB

MD5
60c51efb4f760e8bbaaaca7a2a867fdf

SHA1
8b285ab2b858301649a29071f43b58e1be563a27

SHA256
05a84ec6fcc8b11e33a510c0e2598567de744981e4fb38d4310c6d99da2875e2

SHA512
ac85949d084ac46208a654e2f545cf12870c5ad68bff662e5239930eed0bd054c684c82b30778c52f09dfdfeaca905e52ac2868f1f029a758d5108f534111ecb

Download Submit
C:\Windows\SysWOW64\Oooaah32.exe

Filesize
368KB

MD5
0d1c179f15499c6b541e9c4d795eeef7

SHA1
8b6307ea3441e2048436e1c399aaac675c4604db

SHA256
1d1b0f79077856067b3ffaab9a97781a757bb6a147c24e492f4d9f13560366b3

SHA512
373f127b4680862700eef9da652a1b1f6ca39ce34ac597796dbfdf1e5ecf3f5226a93ff2851d3862f1c0344d4e3635d44a9e7c11d0e26aadd8114552645f815f

Download Submit
C:\Windows\SysWOW64\Pcbdcf32.exe

Filesize
368KB

MD5
54d5d59b6a0e72254b47698aa4004115

SHA1
362c5e4e2aa6eecb71fa47251a944da4e60aaac9

SHA256
3f4d414e9a0e2ab22a73a9162ac0e99698204fdf17e555fe84018ebf9f595c7b

SHA512
e3781bff9e634523dcc5ed8cb6edcefa7d3d0954e0eb9cf70b98883500cbc41f9f72ef6be2a10a86240810569545514d135d140968572920f63dc0fb16b3dfde

Download Submit
C:\Windows\SysWOW64\Pcpgmf32.exe

Filesize
368KB

MD5
be368d86cb5066464e1ac2c4b30e4fad

SHA1
ce350a602db925a9e0b3d9065dc6b67f8e2a964a

SHA256
5ee529dc92010a5f80e93d99ae6e0ab543239bc39b13265856fe51201bbe3b44

SHA512
37e4ed618b2a016976de52f7a5740055193ab4f6801efcf8e40233a9eef48d60380c4e438058a6b7b0938f0c2e77e0aabe4ac190f57c36339148ef296b504c56

Download Submit
C:\Windows\SysWOW64\Pecpknke.exe

Filesize
368KB

MD5
02c6e527b0cba881dae18cdcc0aa20b0

SHA1
475146b1992dc8bdeef2ae29c6ac7ec671bb11a5

SHA256
d0c628a0a3bbe3bf8e3dc9d50c6809a120f2dd4990dc1d156cbc93f0da996135

SHA512
745c84753f0cab43a7f12de0917e4c05b7e452f9cda1819beec166cbf3a470f3a70be97be0b54ef9143577b732fb32c947473592cfb6557b407011b5985105c3

Download Submit
C:\Windows\SysWOW64\Pfeijqqe.exe

Filesize
368KB

MD5
58cdd4840d3b15e7cc7d8f8816fdc9ca

SHA1
caae584f1f5aacb24a66878281b90153bd68ba87

SHA256
a8b31ba348619741c5a49fc92de2c4b14cb82cccd1aa07c3b1599f7ae97ac16a

SHA512
69bacf41cc2253359a017dc1331fe9e155cdc3584a3af033ec75a7d4bf00f0dcb647092d14d861b87c27e19c051ddb2e8d48cb9d968d197d54f6e7161f9c216e

Download Submit
C:\Windows\SysWOW64\Piolkm32.exe

Filesize
368KB

MD5
f077f7adeb21ecfa14676296ba05d35d

SHA1
a038aacf88baf7430eebae034b887c4926154f6c

SHA256
5038cdcd1aeca02bad55dda9a2a2db81fc9ec99c2ed0a01087b14b288e8df409

SHA512
e30a1332daf787afac8bf2231aab07282c148c9274cfce20d684f8b55240e696e41c711bdd9399f1734226de1eb7bbced5b9f7f29f54a163794d5cf9b9c74fdd

Download Submit
C:\Windows\SysWOW64\Pkabbgol.exe

Filesize
368KB

MD5
104becc09c651fca984049c67d466c89

SHA1
3a9b443d822fdf6b2cd7bef3a49040d6366aebfb

SHA256
5b0e493a6da6c6183544222654abd3cc3764e2584dba4ffcdfa8c090f093d319

SHA512
0996d60798545e9fb77636c50d05a28858210fdbf9d31c6ae0b4916ff7f616e15058759ba59b1625d0a258608917668e06f3b6d9a04af21c13dbb3bc3d465509

Download Submit
C:\Windows\SysWOW64\Pkklbh32.exe

Filesize
368KB

MD5
5364ee31a750ac69666fc2ed949d38fe

SHA1
41b8734f5cd77dc3f25c0a02ae230b3901926c65

SHA256
fbf5a61bf3d5e11e42c0250ade4797228217459fe6e55ee3134f6af9e8b2ae39

SHA512
4e4cd562cd814e386157f21fa00ee56bcd56b1dd1d4869cd1ad8c7b159294bfb02069f0d2b3f536a35d873a2d252fb458b5b9b479620288e43afed135c1f6a67

Download Submit
C:\Windows\SysWOW64\Pmeoqlpl.exe

Filesize
368KB

MD5
33db05ad156f6c956e695b4bc29f011f

SHA1
ec88461bfee4994bc61916425985e6a037e833c7

SHA256
31e48dfca1ed8a0889efaeb5439dbe04010e70fdf3de63c86bb3a651e30575fd

SHA512
1a04f908d7bbafab92480312707428897b94479658954a6b633a48862152545318ac2bbf88470403e9a1cdecf9a4957b8e6fddaefa0ace974f6d3f354dd049b6

Download Submit
C:\Windows\SysWOW64\Qbngeadf.exe

Filesize
368KB

MD5
ffff4ca44ffc380629ea089c60670979

SHA1
2bb209cab14852b3bff0ce9b98a36375d37effed

SHA256
86e41ec131ffd6a841368e1a7098130f0aa489367d47ad77392c479df452f789

SHA512
e03fc5cfff35862a0003c87d830bb3de3507cbebd45ee8c338447b36cd7413cb5156ae059c16000b426d619c0939def3a90112011ed50c116f7ee9b3b79cce42

Download Submit
C:\Windows\SysWOW64\Qifbll32.exe

Filesize
368KB

MD5
65109b39dbd499feb146d1c0483a8d13

SHA1
6ed543348eec84f410d6186cec4833b5060231d7

SHA256
57b38cb2a4ed556ec7154d3542ada8cc0f1214d7ec834f70b27950ff7bce37c6

SHA512
87d2333bdafacbb8d0d2ed9e4fcbfdd8ff46f955207e1050d1d2b908a22f22bbca786620a4731dda15602b7d9c7cb18d6c60e40327ccdae674c74d2d078f3e64

Download Submit
C:\Windows\SysWOW64\Qkfkng32.exe

Filesize
368KB

MD5
c00dcaeb7d2f10e3c436751d39f19c57

SHA1
54efa67c2abe0e06a8bb80a28979144cd4614853

SHA256
f89492aad8e890c0bada9a7651140149121a2c0bd7ebb3e49906fac9230c3215

SHA512
0b823a2cfcdf0b8860ee970ac4376c2b3d6a1a1bdd57ebecf4bd6613bd716e65a4c35dd213798b396f8281cf3ea8e1e19ca35d51f3fe4ed195000c9b448a5121

Download Submit
memory/396-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/828-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/828-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/832-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/832-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/948-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/948-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1292-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1292-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3092-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-277-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4712-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads