38ea374ed143159b67ce504f51bb9f5dfa601274fbde867e9dcc10f640d755e4

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc3bf639c130e003017231e96d598980N.exe
Size

64KB
MD5

cc3bf639c130e003017231e96d598980
SHA1

139b917f940eb0dc55bf5996efb3679631f276fe
SHA256

38ea374ed143159b67ce504f51bb9f5dfa601274fbde867e9dcc10f640d755e4
SHA512

7d15b2c8e39eb514dca7abb1eaf794db0ce509d0e9cdee981e59158753f8fb0eaf998bee2c79e7f91290fecdaa0e5ff94ab5393420806b63308f83990307584e
SSDEEP

1536:OzWAFs/qfDWJ0rYLuUq4LL5EQEkR+UvjAxJ2LbrDWBi:eFFsODTYCUq4LL5EQEJUrAxCb2Bi

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mebkge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmaai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omaeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkjjdmaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlgbon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkholi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akihcfid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkjjdmaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ooangh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obkahddl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mllccpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfnjbdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfiagd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlqloo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnjbdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pofhbgmn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcabej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjdki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfdgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obkahddl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mekdffee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mebkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mllccpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcfkpjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcoepkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfknmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poidhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmanljfo.exe

Executes dropped EXE 62 IoCs

pid	Process
2328	Mekdffee.exe
3536	Mlemcq32.exe
2412	Mcoepkdo.exe
1116	Mdpagc32.exe
1784	Mkjjdmaj.exe
2488	Mcabej32.exe
4856	Mdbnmbhj.exe
4760	Mlifnphl.exe
2180	Mebkge32.exe
1172	Mddkbbfg.exe
4776	Mllccpfj.exe
3348	Mkocol32.exe
3876	Mcfkpjng.exe
2464	Medglemj.exe
4780	Mdghhb32.exe
2248	Nlqloo32.exe
3716	Ncjdki32.exe
1704	Nfiagd32.exe
1336	Nkeipk32.exe
4156	Ncmaai32.exe
768	Nfknmd32.exe
1536	Nocbfjmc.exe
2836	Nfnjbdep.exe
2884	Nlgbon32.exe
2744	Ncaklhdi.exe
3468	Ohncdobq.exe
4744	Oohkai32.exe
2892	Odedipge.exe
4276	Okolfj32.exe
1424	Ocfdgg32.exe
4024	Oloipmfd.exe
2352	Obkahddl.exe
636	Omaeem32.exe
464	Obnnnc32.exe
2088	Odljjo32.exe
544	Ooangh32.exe
3332	Pijcpmhc.exe
972	Pkholi32.exe
4708	Pcpgmf32.exe
1908	Pilpfm32.exe
3832	Pmhkflnj.exe
1444	Pofhbgmn.exe
3140	Pfppoa32.exe
4384	Piolkm32.exe
2292	Poidhg32.exe
2120	Peempn32.exe
1608	Pokanf32.exe
452	Pehjfm32.exe
3712	Pkabbgol.exe
4532	Pcijce32.exe
4556	Qfgfpp32.exe
4904	Qmanljfo.exe
2612	Qckfid32.exe
1020	Qelcamcj.exe
5028	Qkfkng32.exe
2952	Qcncodki.exe
4484	Aflpkpjm.exe
396	Aijlgkjq.exe
868	Akihcfid.exe
1568	Afnlpohj.exe
3916	Aealll32.exe
3000	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qkfkng32.exe	Qelcamcj.exe
File created	C:\Windows\SysWOW64\Aijlgkjq.exe	Aflpkpjm.exe
File opened for modification	C:\Windows\SysWOW64\Ncmaai32.exe	Nkeipk32.exe
File created	C:\Windows\SysWOW64\Mpaflkim.dll	Pmhkflnj.exe
File opened for modification	C:\Windows\SysWOW64\Pkabbgol.exe	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Qfgfpp32.exe	Pcijce32.exe
File created	C:\Windows\SysWOW64\Nlqloo32.exe	Mdghhb32.exe
File opened for modification	C:\Windows\SysWOW64\Qmanljfo.exe	Qfgfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Qelcamcj.exe	Qckfid32.exe
File created	C:\Windows\SysWOW64\Pokanf32.exe	Peempn32.exe
File created	C:\Windows\SysWOW64\Amhdmi32.exe	Aealll32.exe
File created	C:\Windows\SysWOW64\Cbgabh32.dll	Mllccpfj.exe
File opened for modification	C:\Windows\SysWOW64\Ooangh32.exe	Odljjo32.exe
File created	C:\Windows\SysWOW64\Pijcpmhc.exe	Ooangh32.exe
File created	C:\Windows\SysWOW64\Pofhbgmn.exe	Pmhkflnj.exe
File created	C:\Windows\SysWOW64\Ncaklhdi.exe	Nlgbon32.exe
File created	C:\Windows\SysWOW64\Pilpfm32.exe	Pcpgmf32.exe
File opened for modification	C:\Windows\SysWOW64\Poidhg32.exe	Piolkm32.exe
File created	C:\Windows\SysWOW64\Edkamckh.dll	Poidhg32.exe
File created	C:\Windows\SysWOW64\Ipdkapdh.dll	Mekdffee.exe
File opened for modification	C:\Windows\SysWOW64\Mcfkpjng.exe	Mkocol32.exe
File created	C:\Windows\SysWOW64\Ecdleo32.dll	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Nlgbon32.exe	Nfnjbdep.exe
File opened for modification	C:\Windows\SysWOW64\Pcijce32.exe	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Qckfid32.exe	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Nfknmd32.exe	Ncmaai32.exe
File opened for modification	C:\Windows\SysWOW64\Okolfj32.exe	Odedipge.exe
File opened for modification	C:\Windows\SysWOW64\Obnnnc32.exe	Omaeem32.exe
File opened for modification	C:\Windows\SysWOW64\Pilpfm32.exe	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Mdpagc32.exe	Mcoepkdo.exe
File created	C:\Windows\SysWOW64\Dkheoa32.dll	Mdpagc32.exe
File created	C:\Windows\SysWOW64\Aocdjq32.dll	Mkocol32.exe
File created	C:\Windows\SysWOW64\Nkeipk32.exe	Nfiagd32.exe
File opened for modification	C:\Windows\SysWOW64\Peempn32.exe	Poidhg32.exe
File created	C:\Windows\SysWOW64\Qmanljfo.exe	Qfgfpp32.exe
File created	C:\Windows\SysWOW64\Mqkbjk32.dll	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Honmnc32.dll	Pijcpmhc.exe
File created	C:\Windows\SysWOW64\Ejcdfahd.dll	Aealll32.exe
File created	C:\Windows\SysWOW64\Akihcfid.exe	Aijlgkjq.exe
File opened for modification	C:\Windows\SysWOW64\Nlqloo32.exe	Mdghhb32.exe
File opened for modification	C:\Windows\SysWOW64\Nkeipk32.exe	Nfiagd32.exe
File created	C:\Windows\SysWOW64\Daphho32.dll	Nkeipk32.exe
File created	C:\Windows\SysWOW64\Qckfid32.exe	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Peempn32.exe	Poidhg32.exe
File created	C:\Windows\SysWOW64\Aknmjgje.dll	Akihcfid.exe
File opened for modification	C:\Windows\SysWOW64\Aealll32.exe	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Mdghhb32.exe	Medglemj.exe
File created	C:\Windows\SysWOW64\Gipjam32.dll	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Oenlmopg.dll	Odljjo32.exe
File created	C:\Windows\SysWOW64\Clpkdlkd.dll	Ooangh32.exe
File created	C:\Windows\SysWOW64\Pfppoa32.exe	Pofhbgmn.exe
File created	C:\Windows\SysWOW64\Qcncodki.exe	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Opepqban.dll	Qcncodki.exe
File created	C:\Windows\SysWOW64\Ncjdki32.exe	Nlqloo32.exe
File opened for modification	C:\Windows\SysWOW64\Ocfdgg32.exe	Okolfj32.exe
File created	C:\Windows\SysWOW64\Pcpgmf32.exe	Pkholi32.exe
File opened for modification	C:\Windows\SysWOW64\Pofhbgmn.exe	Pmhkflnj.exe
File opened for modification	C:\Windows\SysWOW64\Pijcpmhc.exe	Ooangh32.exe
File opened for modification	C:\Windows\SysWOW64\Aijlgkjq.exe	Aflpkpjm.exe
File created	C:\Windows\SysWOW64\Hmmppdij.dll	Aflpkpjm.exe
File created	C:\Windows\SysWOW64\Mddkbbfg.exe	Mebkge32.exe
File created	C:\Windows\SysWOW64\Okolfj32.exe	Odedipge.exe
File opened for modification	C:\Windows\SysWOW64\Omaeem32.exe	Obkahddl.exe
File created	C:\Windows\SysWOW64\Obnnnc32.exe	Omaeem32.exe

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mddkbbfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfkpjng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peempn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncaklhdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc3bf639c130e003017231e96d598980N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllccpfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okolfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qelcamcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcncodki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkocol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfiagd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnnnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijlgkjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkeipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mekdffee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pilpfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhkflnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mebkge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjdki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmaai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfnjbdep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oohkai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odljjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijcpmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akihcfid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdpagc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkjjdmaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omaeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poidhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medglemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooangh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcabej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdbnmbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nocbfjmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlgbon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfgfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlqloo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfknmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oloipmfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlemcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofhbgmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlifnphl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obkahddl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkholi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcoepkdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohncdobq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odedipge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfppoa32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdkapdh.dll"	Mekdffee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfknmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkqjp32.dll"	Oloipmfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknmjgje.dll"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgabh32.dll"	Mllccpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloojfj.dll"	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfgfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdbnmbhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mddkbbfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdgep32.dll"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonhbi32.dll"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfomcn32.dll"	Pofhbgmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haafdi32.dll"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opepqban.dll"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdjpphi.dll"	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odljjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	cc3bf639c130e003017231e96d598980N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mebkge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipjam32.dll"	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfhegp32.dll"	Oohkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpkdlkd.dll"	Ooangh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aocdjq32.dll"	Mkocol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaflkim.dll"	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daliqjnc.dll"	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honmnc32.dll"	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfppoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlbphhk.dll"	Mlemcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlifnphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnggfhnm.dll"	Nfiagd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpqifh32.dll"	Okolfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okolfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ooangh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpdnm32.dll"	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmppdij.dll"	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfiagd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poidhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhodebp.dll"	cc3bf639c130e003017231e96d598980N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcoepkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pofhbgmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenflo32.dll"	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mekdffee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdleo32.dll"	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncmaai32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 2328	4664	cc3bf639c130e003017231e96d598980N.exe	92
PID 4664 wrote to memory of 2328	4664	cc3bf639c130e003017231e96d598980N.exe	92
PID 4664 wrote to memory of 2328	4664	cc3bf639c130e003017231e96d598980N.exe	92
PID 2328 wrote to memory of 3536	2328	Mekdffee.exe	93
PID 2328 wrote to memory of 3536	2328	Mekdffee.exe	93
PID 2328 wrote to memory of 3536	2328	Mekdffee.exe	93
PID 3536 wrote to memory of 2412	3536	Mlemcq32.exe	94
PID 3536 wrote to memory of 2412	3536	Mlemcq32.exe	94
PID 3536 wrote to memory of 2412	3536	Mlemcq32.exe	94
PID 2412 wrote to memory of 1116	2412	Mcoepkdo.exe	95
PID 2412 wrote to memory of 1116	2412	Mcoepkdo.exe	95
PID 2412 wrote to memory of 1116	2412	Mcoepkdo.exe	95
PID 1116 wrote to memory of 1784	1116	Mdpagc32.exe	96
PID 1116 wrote to memory of 1784	1116	Mdpagc32.exe	96
PID 1116 wrote to memory of 1784	1116	Mdpagc32.exe	96
PID 1784 wrote to memory of 2488	1784	Mkjjdmaj.exe	98
PID 1784 wrote to memory of 2488	1784	Mkjjdmaj.exe	98
PID 1784 wrote to memory of 2488	1784	Mkjjdmaj.exe	98
PID 2488 wrote to memory of 4856	2488	Mcabej32.exe	99
PID 2488 wrote to memory of 4856	2488	Mcabej32.exe	99
PID 2488 wrote to memory of 4856	2488	Mcabej32.exe	99
PID 4856 wrote to memory of 4760	4856	Mdbnmbhj.exe	100
PID 4856 wrote to memory of 4760	4856	Mdbnmbhj.exe	100
PID 4856 wrote to memory of 4760	4856	Mdbnmbhj.exe	100
PID 4760 wrote to memory of 2180	4760	Mlifnphl.exe	102
PID 4760 wrote to memory of 2180	4760	Mlifnphl.exe	102
PID 4760 wrote to memory of 2180	4760	Mlifnphl.exe	102
PID 2180 wrote to memory of 1172	2180	Mebkge32.exe	103
PID 2180 wrote to memory of 1172	2180	Mebkge32.exe	103
PID 2180 wrote to memory of 1172	2180	Mebkge32.exe	103
PID 1172 wrote to memory of 4776	1172	Mddkbbfg.exe	104
PID 1172 wrote to memory of 4776	1172	Mddkbbfg.exe	104
PID 1172 wrote to memory of 4776	1172	Mddkbbfg.exe	104
PID 4776 wrote to memory of 3348	4776	Mllccpfj.exe	105
PID 4776 wrote to memory of 3348	4776	Mllccpfj.exe	105
PID 4776 wrote to memory of 3348	4776	Mllccpfj.exe	105
PID 3348 wrote to memory of 3876	3348	Mkocol32.exe	106
PID 3348 wrote to memory of 3876	3348	Mkocol32.exe	106
PID 3348 wrote to memory of 3876	3348	Mkocol32.exe	106
PID 3876 wrote to memory of 2464	3876	Mcfkpjng.exe	107
PID 3876 wrote to memory of 2464	3876	Mcfkpjng.exe	107
PID 3876 wrote to memory of 2464	3876	Mcfkpjng.exe	107
PID 2464 wrote to memory of 4780	2464	Medglemj.exe	108
PID 2464 wrote to memory of 4780	2464	Medglemj.exe	108
PID 2464 wrote to memory of 4780	2464	Medglemj.exe	108
PID 4780 wrote to memory of 2248	4780	Mdghhb32.exe	109
PID 4780 wrote to memory of 2248	4780	Mdghhb32.exe	109
PID 4780 wrote to memory of 2248	4780	Mdghhb32.exe	109
PID 2248 wrote to memory of 3716	2248	Nlqloo32.exe	110
PID 2248 wrote to memory of 3716	2248	Nlqloo32.exe	110
PID 2248 wrote to memory of 3716	2248	Nlqloo32.exe	110
PID 3716 wrote to memory of 1704	3716	Ncjdki32.exe	111
PID 3716 wrote to memory of 1704	3716	Ncjdki32.exe	111
PID 3716 wrote to memory of 1704	3716	Ncjdki32.exe	111
PID 1704 wrote to memory of 1336	1704	Nfiagd32.exe	113
PID 1704 wrote to memory of 1336	1704	Nfiagd32.exe	113
PID 1704 wrote to memory of 1336	1704	Nfiagd32.exe	113
PID 1336 wrote to memory of 4156	1336	Nkeipk32.exe	114
PID 1336 wrote to memory of 4156	1336	Nkeipk32.exe	114
PID 1336 wrote to memory of 4156	1336	Nkeipk32.exe	114
PID 4156 wrote to memory of 768	4156	Ncmaai32.exe	115
PID 4156 wrote to memory of 768	4156	Ncmaai32.exe	115
PID 4156 wrote to memory of 768	4156	Ncmaai32.exe	115
PID 768 wrote to memory of 1536	768	Nfknmd32.exe	116

C:\Users\Admin\AppData\Local\Temp\cc3bf639c130e003017231e96d598980N.exe
"C:\Users\Admin\AppData\Local\Temp\cc3bf639c130e003017231e96d598980N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\SysWOW64\Mekdffee.exe
  C:\Windows\system32\Mekdffee.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\Mlemcq32.exe
    C:\Windows\system32\Mlemcq32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Windows\SysWOW64\Mcoepkdo.exe
      C:\Windows\system32\Mcoepkdo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
      - C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Mllccpfj.exe
        
        C:\Windows\system32\Mllccpfj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
1⤵
PID:5332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mcabej32.exe

Filesize
64KB

MD5
370be0c388e0a3795028605fd4e59809

SHA1
32652cd6933ebaba6b37c53f90fa3cfcbd64ac35

SHA256
a08518a1317f3f5a7d3ef02745ce5118a6262ab0c43046d82ae230355245e588

SHA512
deb25e54c9c793801554c4ec4af628a5acb1a8ed677d3ebfa64a2391fe60cc692e0abf8f782feef15d6892caddf895cb2835dc73f28fca3fedbaa49ac7a67359

Download Submit
C:\Windows\SysWOW64\Mcfkpjng.exe

Filesize
64KB

MD5
542685ec5ad8e885ca4ff1b96cfb23c9

SHA1
af674baa87066164d578fda6bad9d733861a72d1

SHA256
d6efa703f54abefe5b96d9dd5d1e3a73197195356df2f449dbd9261ca849a527

SHA512
d56a06d47b53495215ed320ad2ed96f667be704e42f73bc4cfa4af6991e0c29f944ba851693578cb3ff56a06eabe2bce5d6de9d343a8824eb344abdc10dcd1e8

Download Submit
C:\Windows\SysWOW64\Mcoepkdo.exe

Filesize
64KB

MD5
47c2970dbf9cde266504a5ca4928c016

SHA1
f65ce9a187ad5a5ab89cc7f254cf604ba3b0aac5

SHA256
ec4790bc469e25ea87c985f9b9b3e2dab4c222940df5f526976637f3cae78002

SHA512
e08a7abd617f65861ab3ea49733dcc22446006ed443c28696a1053eb5ccb47b25044e2da7626b87ffa7c675b5cc6fe23927068b7b20047853e58916e4f0203b2

Download Submit
C:\Windows\SysWOW64\Mdbnmbhj.exe

Filesize
64KB

MD5
6414b2e9cebd21023c43a39d0937d990

SHA1
cac92bd524881703f7169fee6b6890ac9283ec6e

SHA256
131f77cb3886f5b83a6906c926053a6fba7e2a72dc1c6fd6fbf426c55558b3e7

SHA512
31239076d3139ef80c226a2cc463b5b2c3c6456f271c906b3e8cd68cc81b413d00ba1d747402a728d213d36a70b0def16b254f2b9d772b3478f8239c1798df75

Download Submit
C:\Windows\SysWOW64\Mddkbbfg.exe

Filesize
64KB

MD5
409e8d5cf8034ba86530b7553699bb05

SHA1
86e8569a4222d2e5a0fe2494f0ed837ef49d3f44

SHA256
d49fe914008e14c37fce4a748e1d9d25ef9e4f000a44e76cc2039a2b1ae5d788

SHA512
417eae4b14ecff130c18b468b545b93d7ac69149be52c2f954d73952643990034adc813c04e05516ff64280d349c60d24eb913c899d347210de561821fe2da64

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
64KB

MD5
97d721f734a308055d5fda5e4cb94642

SHA1
5143f2669817a61a314de98a120183a21a8a6a70

SHA256
82747891bf875a9c1b5f0c13889f17d6a2640a0ea973d17423479e92c7be152f

SHA512
3ab833a1f9e1a4c5545c5c67604488ee0f5d56349aaa5ec60d9336822b0aeb7b0476f1746e9514a9ad6454fcab1e0bc77efb722d9dffe0f869de420b8711b637

Download Submit
C:\Windows\SysWOW64\Mdpagc32.exe

Filesize
64KB

MD5
1f5a6823dae45e6661de9b7fafedc44a

SHA1
136388eb46917cfc152bae9c6f477d13950b28a0

SHA256
1e53f0a87e975f5fd1058e43b1b65604019685928f507084501bc01d0df933a5

SHA512
77f20c2e0a714dbfa7a33776553f5108d2ac788c34c59e8d6219dfbdded3e69516d9b70ec5370e573b4c9aff0cc780a782201d1fb235e8ff27a9b08b96a46252

Download Submit
C:\Windows\SysWOW64\Mebkge32.exe

Filesize
64KB

MD5
170075ad6e037550282a03746183f409

SHA1
12aa683018ce098cb5cb0ea977ca4ab81ffb4a44

SHA256
c194971aff0ac26da6f1528d1389b6bcf6881743f4ea150282d78862ab8eb157

SHA512
891075a8722a98b1c90704c03d0db7d8e87ebbc45a7256e4d4c5c9ebdd1de709c43f761b37e28776cce67cbf24121ebcd23f2ab5743ae341436928b105d847e0

Download Submit
C:\Windows\SysWOW64\Medglemj.exe

Filesize
64KB

MD5
dd2f0fbc2784aa77dca2086fa4466bc8

SHA1
9b42204744ab7c68db3e0b9dbdae8cf747fd97d7

SHA256
cdedfe33caae5133fc6ee0585c63b2e3113b282dfc7b1233ae96a240e71f1e7e

SHA512
39639e5d73f0b6bba930bb0b1d603528bdafc872024ff54f05bb3be43a65b91205d4b6553afd26ff556cd8ea7a69b0eb7912276ad5d08dc791bdd2167f47789b

Download Submit
C:\Windows\SysWOW64\Mekdffee.exe

Filesize
64KB

MD5
7ad688a487e73ba62b695d16da771507

SHA1
4ca6f234aa2a3f42b6f8f21cd221af7fc8782b67

SHA256
dfd4c9846ee3cf38fba30f9b20216b25f4e9000fe96e935e363af325274bdcf3

SHA512
7c7ef0d995436e6db2454c1b0ff2dadc4e1387fd78845206890151b57bd1740646b04dc5dd4a00253ffc38394fd99c651b5f098b10ed009dcd2ce6d8948991ef

Download Submit
C:\Windows\SysWOW64\Mkjjdmaj.exe

Filesize
64KB

MD5
e0be12027f550ea967ebcabe80ad89b0

SHA1
6e3e03360b86880a5ad830fcc14ec2a79c63bfcd

SHA256
cbc98ed8c8b8a3606c9db208230c38c3f9a2d601da0273a3f40346c9ec3d513c

SHA512
29e02c2c34bd7058c1c06b41e9eeb2119ad8b209a186b0d879c0b0804d49c874711700a26c020ec5b2637c3ddcd2e9b25316bbf736322a57e55ea05e061b8906

Download Submit
C:\Windows\SysWOW64\Mkocol32.exe

Filesize
64KB

MD5
4c4df659d9112ece0e9e02a99c4134f4

SHA1
b62a62ec673abace4e9a6eb549702395ca26a596

SHA256
7e5dc601bad7deda3ffe523b8088d6b4a093172e599eb1166fdb33bfd8df4d27

SHA512
00613f2f16cd5a6d0a5b01ab7d57f5d05f4caacad0a3eda696f43fe8b421af5f75d2467d4752ec20426491edd73a344b3f543891a623d7d7feb37f369b8add01

Download Submit
C:\Windows\SysWOW64\Mlemcq32.exe

Filesize
64KB

MD5
3a64ca66de0c9fdc2945009492d82579

SHA1
079c2fd237a257afa8c1b5195939df77b70a7115

SHA256
f2219e3ac820d31aa6c43bd5e48734cd4f2ce5eed5ee9fffecea10725b09e367

SHA512
017d3db2542537b850a5e5aad6aec7bfc7f964efe1655f25e6a4290735315bb47d43de5d8b8147220fb1f26f25c98f7c52ea16828926020092dbed72fcfdabef

Download Submit
C:\Windows\SysWOW64\Mlifnphl.exe

Filesize
64KB

MD5
63deb4a707f019fbd7076b0187b974c8

SHA1
0ea733e726496cee78360410c7439d58c7c080f2

SHA256
e1a03864bc37cae731473f0a215c81ed9743f50b07f70e3b71cedc36501a9799

SHA512
d338f02a526c47a04594dc7dee3abadbf2402be9cc81d682445a5818dc15f4d9814e7b10477e12e61a6957769af38fd6834a7403cd05376748aa39868e8c3930

Download Submit
C:\Windows\SysWOW64\Mllccpfj.exe

Filesize
64KB

MD5
43bc98fd2433f4b33635eefd5a9c56ba

SHA1
55aa26be47b384cce882f766230ae7708f55a2e0

SHA256
4ea2cf40675c62464a19aefcf0f0475fb292c0c5b6dbca2037da9d6dd3e8ba5c

SHA512
997b3c263d089bab6a3311ddf13fafd6072e2cdb8ff2fd3ae16598c9909b911fbddb0566539929150e1ab47c2a1d36f393601837c94ea64e0cde8b8c30fd5b43

Download Submit
C:\Windows\SysWOW64\Ncaklhdi.exe

Filesize
64KB

MD5
8098183d27180801cdbaf5308b1e348c

SHA1
cfdd9a747faa90af11c90341a84b97dcb5e7bc54

SHA256
70ac291ffe549e67370727a7d67b946fd10099abcc64efc89ef467aec191900b

SHA512
63920c2381ebd7fbadc4ec3365933c7e3704b744b66a0c883b0ac921bac30fce8547bdc065e7737317491721a28a9b8cadc9259aecf05e9eb1697475184feb56

Download Submit
C:\Windows\SysWOW64\Ncjdki32.exe

Filesize
64KB

MD5
5d6682af3f3bc6d37d6ff8d516845ed1

SHA1
3183f5b0f80ae7007b2030b45e778be22f7f1e71

SHA256
a5aca186e506cac29e46b50b753d475849225b2e60bf697ec8e7b7ba2b368679

SHA512
ee9057c5bafbc10ba5163c69c412a64913ea04d0f24a8276e2257dc368428ec98429770185926a892864538b76d4eae4f3234d3a33b2434b8459af991fef55b8

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
64KB

MD5
b3bf25da1a5fa5601389725a2a28a732

SHA1
df714bb0de74c674727867f41cfa0fd92a733391

SHA256
a0e59dd4f8cc41c471de371e3312478ec2afb3d182417f5c1f3a49b928f038bc

SHA512
baa7314103b3e729618f3e5624f6e9a984c95d49933a8872401aa6e1ca3f074c681a6891c925422581a26392010cebb3a7cc53dacc6d97e39db32e5b673808cb

Download Submit
C:\Windows\SysWOW64\Nfiagd32.exe

Filesize
64KB

MD5
bda2e9b9bfd40ca7a74a6cb42572f3d1

SHA1
b2992d3c8d893e7804ea0bd09e1b6d71be82be37

SHA256
4e0babe43be12d8f78fedf0c0f29dd238dcf47f5582b27dbecb89d7c288f476e

SHA512
9aa2ef9283ad284d98a23eea1ac6365c511741beeec4f6e6c47568a59e704ca42b4826ada58f932bb903761f8aa00c5df6f70fad4d8dc372855c5dd64877c8a4

Download Submit
C:\Windows\SysWOW64\Nfknmd32.exe

Filesize
64KB

MD5
cbba57922d811c06475606ff58ff2bc6

SHA1
dff06c34385b4daaa5b1106298b74b519c9ff209

SHA256
f69383efafd111284a1110f9d5adb1d029358f8b85df7826f4085066f8091a4d

SHA512
6dda28e974059885f315f855e87ef3544ab07bc978cebcf1668847028000daa4694235a4144c316c0e0eca35d8a878da22c1178157c8d7bafea2361a626f5a3d

Download Submit
C:\Windows\SysWOW64\Nfnjbdep.exe

Filesize
64KB

MD5
3c84e8b665e0096747c27d17acde3522

SHA1
6964c55d72c8df82ae8d7c551d2fec8d8f7f6396

SHA256
9652834ea82f27d542a0a39cc0f4ff9767a386e447a1d5a9c67f2f5a0412e975

SHA512
1358890e671082117a206820b9b6a246fb9fd81ad5381a06c873765acf3839bac0b4d4631acf425fdbb6545210c6e80fd1664e17464fc7b5abd4f371404a68b1

Download Submit
C:\Windows\SysWOW64\Nkeipk32.exe

Filesize
64KB

MD5
cacbf0e5b0d0eae68abf8c34456c8c84

SHA1
b2f11c02bf05458b4cd0e11aec086713f89c97b5

SHA256
976df454afd2ec609d3d674b7ebf470485c8c47b5de77a1fff5a1b0421f5e427

SHA512
1ff8e0365f07efbd09e2d9046cb483b4ff4f8d5a11f2d145b314aa9761bb5073e78ccb7269b7efc761f2f20de729f0607907154eb84127f2285e7e615687724e

Download Submit
C:\Windows\SysWOW64\Nlgbon32.exe

Filesize
64KB

MD5
6a43ac5b432dd37ce43cb69894386f75

SHA1
5397a8df74873fd21acbc45ace17fec19e5bc33d

SHA256
701e076e355e970050153c25b882472cf93b0231033cbdc9ca984a7313d2a37f

SHA512
152e1e565f66d0bec9a43caef1d4109cec68d110634ea12d5ad77e52d37bc0dfc7e87f2b949c4df10d4e5850b6f3e19384a21f671539341b8f465f281409f5a2

Download Submit
C:\Windows\SysWOW64\Nlqloo32.exe

Filesize
64KB

MD5
8c0ac1ca26550f07350ca32ae577c77f

SHA1
eafdd9d1f07e72d843e5eddfd4ba02cb013ca7d8

SHA256
5da59ba1daad7e6fad298e73b61d5580e2c69e9c6c0218796ebffdaf59b6a48d

SHA512
924e749f2c7ab4792091a1214c40e8e6baac41eb9d19c116de21445aed8909ee065052d6262661b5f1a86d0218ad9b1356b36eb5d62213e6710ed414f521d270

Download Submit
C:\Windows\SysWOW64\Nocbfjmc.exe

Filesize
64KB

MD5
af3cef76757cc4fd7d83cfcd94e2548c

SHA1
31c6c377989c6967f539e0171188f6ebb16ca051

SHA256
130e294b966e86ece0962002b4b097226c07b463706cb1b310e9c685a09e30ec

SHA512
ce729adc2a7cad7e7993799bf0de6720139fdc18f5a4fad7e3e5bb347af8b43b1fc26e190a626e2e0ccb9548a3ee76199d3067a87e6bad22093240234205e94c

Download Submit
C:\Windows\SysWOW64\Obkahddl.exe

Filesize
64KB

MD5
8281db675139e4ea0dd6dece4e7e3a6d

SHA1
612de56a255499cdcc223a196262f89056971ba4

SHA256
4bf88b0bed4dca44210c8f2c4d06821b8a43a3e851e10868255c9586e9126814

SHA512
233302bd80e2e9fda307fac6eb57b31d55fe0ba9c45e495f62023a285cc45e7b8fd9483e4203208693da1cd95e7bcfa1afcc6fee464f2090c0edc6ae6a15f33f

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
64KB

MD5
cd73e31b6c8d24922d9b95ecddb6b79e

SHA1
8cf7effe454107f1183c4c7d41d1132098220377

SHA256
d706b327350dc24363d14e4efed48c824f475fdf95d997c871b977f2966c1b01

SHA512
871ee794e3b7e090a4bac134055ee73f77b69e69032ddc3047f3ddfc8f54ed5017d8423b6f3a69fadef4e4341de75c4d7f4a0359d4137c29f12cc18d4dc15233

Download Submit
C:\Windows\SysWOW64\Odedipge.exe

Filesize
64KB

MD5
57f09c2463022076ae3247d349402050

SHA1
6256cf8fb7ea4b3775cae916f729b112b2fa03ac

SHA256
3da7217d598af5c84800408b25d5a2a184f0a624aebd98c0aa3d207c6607bc50

SHA512
cbbcf6f57a3aadaf18fbe24d02e94d54000d1dc43e18b6b2cac9f5de1208977420beb69d2a9f5ff86297505762e1693bada1faa6ad26d870924caa4e78b0fa45

Download Submit
C:\Windows\SysWOW64\Ohncdobq.exe

Filesize
64KB

MD5
75099ebe32929cabf35e3b276f100c47

SHA1
1365941dcc07df8a783f2ab5ef04a60c1188e2a9

SHA256
699263cad5d2086762fe84a2bfd9849126c5080494e9230d14682228d5419c7b

SHA512
4bcff443c1b12730526cf696b6ce7059ebffcede747f082461c0f1a6f552e6882313fdada5fc18d8d2c1e8c138f5fefd4346005f630d5cee90ca79ffbd7af095

Download Submit
C:\Windows\SysWOW64\Okolfj32.exe

Filesize
64KB

MD5
37c4eee043ebd7746151a962768afb87

SHA1
5b4525ff8e44c143ae1dec8e31cbc79cf7a232d7

SHA256
aed6f5c75cd6ad2ca187af2a0329166c7c6bcf6c830a63790d701417f54a9d11

SHA512
fac3b3c98988ad79419ed25c4fef0fbc4d9a1b3ef99432e9591e7072885f3dbce3fa37e9c9cf04ac73791c336e9cbd01d913e204677c43597df3a2a09b830c34

Download Submit
C:\Windows\SysWOW64\Oloipmfd.exe

Filesize
64KB

MD5
360ff3e1f935dffc3e35bd5c252a3d02

SHA1
6012326458c07c0a2f257841d10369a4f356592e

SHA256
c1b88f9984e628d981145803b2484e9d48f8f96fa20c6f1ab2668508c6cfa565

SHA512
92cb1a056cc08800750206a477ccb863015db05a36d4a1b998fcce3b976666193c84dd24e10f103b95ce7b6f3eefd6067adc3e5dd2d171e58ae88f8e812b19a4

Download Submit
C:\Windows\SysWOW64\Oohkai32.exe

Filesize
64KB

MD5
79df345f47252d9c51a49d2e540053e0

SHA1
63809b818853a24cd17f8a498558d37b4d13b10f

SHA256
c53d41697d068741c4842ef1f2412d857ac227ae470cece21cf997443ddb023d

SHA512
5e49190c76b717b9bbc606878d069f7ef0762f21dc494360e9d59c4ff17571b958276abdb3b3caac9dae486f4cdb597c9e928f86e83fd5c91acd5a1e13c6db37

Download Submit
C:\Windows\SysWOW64\Qfgfpp32.exe

Filesize
64KB

MD5
ee7ed59149c8a1639fec798ff55ae502

SHA1
46fa5ef15a6323ad7eccec973a9cb25b0515b80a

SHA256
089d2c1ab5a4e5f520fd4b0fb42f5b52c567a167d2773052911c4024633826d8

SHA512
01d7e1e419daf1398cd88e1c0f8f87da4b9b5b9a73e6ce79cf95d432a0fc1f9fcde2ab06a479a64b895125ad0c0aca9a0e09c1daee2feaef85e09d9d0bb03bcb

Download Submit
memory/452-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4156-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4156-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4664-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads