b8819fadcf13f81a500b46a63728d5a54f9af2268faeaa4806ecb281b0fe5873

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecabb9c36ad583ce9fb7fdde83502740N.exe
Size

128KB
MD5

ecabb9c36ad583ce9fb7fdde83502740
SHA1

40b85a9066e6e3ff73d56a4315db2465249f15fb
SHA256

b8819fadcf13f81a500b46a63728d5a54f9af2268faeaa4806ecb281b0fe5873
SHA512

67d8dadf266ae386f5024cdfa0e964d7bfb2ad26edbf5e8a32ea63c6046189e238eabed34cd06aa2ff338cb4f3420c08e77ad338416f3d8e4abe752bb35aef0f
SSDEEP

3072:QNBHv4zjV83+YVCCf2uAnEMEelSJdEN0s4WE+3S9pui6yYPaI7DX:2BPW2+YVWu9icENm+3Mpui6yYPaI/

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmdlflki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qhbhapha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qggebl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqilaplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbbkbbkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	ecabb9c36ad583ce9fb7fdde83502740N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgkegn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qkqdnkge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciefek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjfclcpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjiloqjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiqomj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Addhbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmlafk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhcfleff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjkiephp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elaobdmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhfoocaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjlnhi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpmmfbfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbpolb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bglgdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dalkek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfdfoala.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opmcod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdbbfadn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgbkgmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akjgdjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oinbgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onqdhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjlnhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqfolqna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enpknplq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppdjpcng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoiqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdnkhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigcjj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npadcfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Omlkmign.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgkegn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agiahlkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agqhik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bggnijof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bqkigp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdnkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmlafk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oiqomj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onngci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agiahlkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaofedkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Addhbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjomldfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfdfoala.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Naqqmieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ophjdehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqilaplo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnboma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnkbcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmghklif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhmmieil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onqdhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dagajlal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ecabb9c36ad583ce9fb7fdde83502740N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmnnlk32.exe

Executes dropped EXE 64 IoCs

pid	Process
208	Mmdlflki.exe
2236	Mjiloqjb.exe
1020	Mmghklif.exe
1380	Mhmmieil.exe
3024	Mjkiephp.exe
3460	Mmiealgc.exe
4064	Maeaajpl.exe
2212	Nmlafk32.exe
3556	Ndejcemn.exe
3624	Nfdfoala.exe
1620	Nmnnlk32.exe
4940	Ndhgie32.exe
1820	Nhfoocaa.exe
3776	Nkdlkope.exe
1228	Npadcfnl.exe
2568	Naqqmieo.exe
4468	Okiefn32.exe
1688	Omgabj32.exe
2184	Oinbgk32.exe
1172	Ophjdehd.exe
3480	Oiqomj32.exe
800	Omlkmign.exe
440	Onngci32.exe
212	Opmcod32.exe
4504	Onqdhh32.exe
660	Opopdd32.exe
4060	Paomog32.exe
3616	Pgkegn32.exe
3124	Ppdjpcng.exe
4388	Pjlnhi32.exe
380	Pdbbfadn.exe
3564	Pklkbl32.exe
2164	Pgbkgmao.exe
1960	Pahpee32.exe
1072	Qhbhapha.exe
4220	Qkqdnkge.exe
3708	Qpmmfbfl.exe
1660	Qggebl32.exe
944	Aamipe32.exe
4264	Agiahlkf.exe
1204	Aaofedkl.exe
3128	Ahinbo32.exe
4168	Ababkdij.exe
3376	Akjgdjoj.exe
3352	Aqfolqna.exe
3740	Agqhik32.exe
4864	Aqilaplo.exe
2080	Addhbo32.exe
2884	Akopoi32.exe
1980	Bqkigp32.exe
4112	Bnoiqd32.exe
3688	Bggnijof.exe
2672	Bgjjoi32.exe
1604	Bbpolb32.exe
4440	Bdnkhn32.exe
3504	Bglgdi32.exe
828	Bbbkbbkg.exe
2244	Bkjpkg32.exe
4360	Cqghcn32.exe
4016	Cjomldfp.exe
4200	Ceeaim32.exe
1384	Calbnnkj.exe
1956	Canocm32.exe
1324	Ciefek32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oidodncg.dll	Pgbkgmao.exe
File created	C:\Windows\SysWOW64\Aamipe32.exe	Qggebl32.exe
File created	C:\Windows\SysWOW64\Addhbo32.exe	Aqilaplo.exe
File created	C:\Windows\SysWOW64\Bbbkbbkg.exe	Bglgdi32.exe
File opened for modification	C:\Windows\SysWOW64\Ciefek32.exe	Canocm32.exe
File opened for modification	C:\Windows\SysWOW64\Cjfclcpg.exe	Ciefek32.exe
File created	C:\Windows\SysWOW64\Dagajlal.exe	Dgomaf32.exe
File created	C:\Windows\SysWOW64\Dhhcgogn.dll	ecabb9c36ad583ce9fb7fdde83502740N.exe
File opened for modification	C:\Windows\SysWOW64\Mmiealgc.exe	Mjkiephp.exe
File opened for modification	C:\Windows\SysWOW64\Pjlnhi32.exe	Ppdjpcng.exe
File created	C:\Windows\SysWOW64\Akopoi32.exe	Addhbo32.exe
File opened for modification	C:\Windows\SysWOW64\Dagajlal.exe	Dgomaf32.exe
File created	C:\Windows\SysWOW64\Hjpdjplo.dll	Dgaiffii.exe
File opened for modification	C:\Windows\SysWOW64\Mjkiephp.exe	Mhmmieil.exe
File opened for modification	C:\Windows\SysWOW64\Oiqomj32.exe	Ophjdehd.exe
File created	C:\Windows\SysWOW64\Onqdhh32.exe	Opmcod32.exe
File created	C:\Windows\SysWOW64\Lbccec32.dll	Bbpolb32.exe
File opened for modification	C:\Windows\SysWOW64\Npadcfnl.exe	Nkdlkope.exe
File opened for modification	C:\Windows\SysWOW64\Paomog32.exe	Opopdd32.exe
File created	C:\Windows\SysWOW64\Ahinbo32.exe	Aaofedkl.exe
File created	C:\Windows\SysWOW64\Bdhiofpj.dll	Canocm32.exe
File created	C:\Windows\SysWOW64\Dalkek32.exe	Dhcfleff.exe
File created	C:\Windows\SysWOW64\Nfdfoala.exe	Ndejcemn.exe
File created	C:\Windows\SysWOW64\Pgkegn32.exe	Paomog32.exe
File opened for modification	C:\Windows\SysWOW64\Bgjjoi32.exe	Bggnijof.exe
File created	C:\Windows\SysWOW64\Mhoaqa32.dll	Ceeaim32.exe
File created	C:\Windows\SysWOW64\Clbcll32.dll	Djipbbne.exe
File opened for modification	C:\Windows\SysWOW64\Enpknplq.exe	Elaobdmm.exe
File opened for modification	C:\Windows\SysWOW64\Onngci32.exe	Omlkmign.exe
File created	C:\Windows\SysWOW64\Ppdjpcng.exe	Pgkegn32.exe
File created	C:\Windows\SysWOW64\Cqghcn32.exe	Bkjpkg32.exe
File created	C:\Windows\SysWOW64\Npqfogdn.dll	Cjomldfp.exe
File created	C:\Windows\SysWOW64\Cnboma32.exe	Cjfclcpg.exe
File created	C:\Windows\SysWOW64\Jhhgefed.dll	Dalkek32.exe
File opened for modification	C:\Windows\SysWOW64\Mmghklif.exe	Mjiloqjb.exe
File created	C:\Windows\SysWOW64\Naqqmieo.exe	Npadcfnl.exe
File opened for modification	C:\Windows\SysWOW64\Addhbo32.exe	Aqilaplo.exe
File created	C:\Windows\SysWOW64\Mmdlflki.exe	ecabb9c36ad583ce9fb7fdde83502740N.exe
File created	C:\Windows\SysWOW64\Nmkgdlkh.dll	Opopdd32.exe
File created	C:\Windows\SysWOW64\Eonjpqid.dll	Pdbbfadn.exe
File created	C:\Windows\SysWOW64\Gkhbnh32.dll	Dgmpkg32.exe
File opened for modification	C:\Windows\SysWOW64\Mjiloqjb.exe	Mmdlflki.exe
File created	C:\Windows\SysWOW64\Bloikp32.dll	Ciefek32.exe
File created	C:\Windows\SysWOW64\Pecpko32.dll	Bgjjoi32.exe
File created	C:\Windows\SysWOW64\Igehifaa.dll	Nfdfoala.exe
File created	C:\Windows\SysWOW64\Nepgghpg.dll	Ababkdij.exe
File created	C:\Windows\SysWOW64\Dgomaf32.exe	Daeddlco.exe
File created	C:\Windows\SysWOW64\Jjqakeon.dll	Ndejcemn.exe
File opened for modification	C:\Windows\SysWOW64\Onqdhh32.exe	Opmcod32.exe
File opened for modification	C:\Windows\SysWOW64\Cbnknpqj.exe	Cnboma32.exe
File opened for modification	C:\Windows\SysWOW64\Mhmmieil.exe	Mmghklif.exe
File opened for modification	C:\Windows\SysWOW64\Nfdfoala.exe	Ndejcemn.exe
File created	C:\Windows\SysWOW64\Ejanihcl.dll	Bkjpkg32.exe
File created	C:\Windows\SysWOW64\Qhbhapha.exe	Pahpee32.exe
File created	C:\Windows\SysWOW64\Bbpolb32.exe	Bgjjoi32.exe
File created	C:\Windows\SysWOW64\Igpgak32.dll	Daeddlco.exe
File created	C:\Windows\SysWOW64\Nbogaaom.dll	Mjiloqjb.exe
File opened for modification	C:\Windows\SysWOW64\Pgkegn32.exe	Paomog32.exe
File opened for modification	C:\Windows\SysWOW64\Qkqdnkge.exe	Qhbhapha.exe
File created	C:\Windows\SysWOW64\Aaofedkl.exe	Agiahlkf.exe
File opened for modification	C:\Windows\SysWOW64\Opopdd32.exe	Onqdhh32.exe
File created	C:\Windows\SysWOW64\Jqhdfhck.dll	Aamipe32.exe
File opened for modification	C:\Windows\SysWOW64\Aqfolqna.exe	Akjgdjoj.exe
File created	C:\Windows\SysWOW64\Cigcjj32.exe	Cbnknpqj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5480	5392	WerFault.exe	175

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bglgdi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cigcjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoiqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omlkmign.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paomog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhbhapha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agqhik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Addhbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjpkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Canocm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecabb9c36ad583ce9fb7fdde83502740N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okiefn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpmmfbfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqfolqna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnnlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfdfoala.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiqomj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pahpee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agiahlkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgomaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalkek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmlafk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omgabj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pklkbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbkgmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaofedkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciefek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maeaajpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkdlkope.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onqdhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bggnijof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cqghcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calbnnkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djipbbne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dagajlal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjiloqjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhgie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppdjpcng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aamipe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjfclcpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgmpkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgaiffii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmiealgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdbbfadn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbnknpqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dabhomea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ophjdehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgkegn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhcfleff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndejcemn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akjgdjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqkigp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eldlhckj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qggebl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceeaim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnkbcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naqqmieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgjjoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdnkhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opopdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ababkdij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqilaplo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akopoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elaobdmm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacjdgkj.dll"	Mmghklif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmlafk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgmpkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhcfleff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhgefed.dll"	Dalkek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Omgabj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cqghcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaoimpil.dll"	Calbnnkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmbobfa.dll"	Nmlafk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qhbhapha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ababkdij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cigcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcll32.dll"	Djipbbne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dagajlal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oiqomj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqdkbakj.dll"	Pgkegn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdbbfadn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgbkgmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bggnijof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjfclcpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmnnlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ppdjpcng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qhbhapha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkobdqqa.dll"	Dgomaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgaiffii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nhfoocaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdbfa32.dll"	Bnoiqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgjjoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcoaqo32.dll"	Bglgdi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djipbbne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	ecabb9c36ad583ce9fb7fdde83502740N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loifpp32.dll"	Omgabj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfhgbj32.dll"	Ahinbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepgghpg.dll"	Ababkdij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgaiffii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgkegn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qpmmfbfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Addhbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhmmieil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcllmi32.dll"	Okiefn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Onngci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oidodncg.dll"	Pgbkgmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mmiealgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Omgabj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Paomog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npqfogdn.dll"	Cjomldfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfdfoala.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Okiefn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcnehb32.dll"	Onqdhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mmdlflki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Onngci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbbkbbkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnoiqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bglgdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhcfleff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onbiicqa.dll"	Opmcod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonjpqid.dll"	Pdbbfadn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agiahlkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ahinbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppehbl32.dll"	Addhbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dagajlal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	ecabb9c36ad583ce9fb7fdde83502740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnboma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dalkek32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 208	752	ecabb9c36ad583ce9fb7fdde83502740N.exe	92
PID 752 wrote to memory of 208	752	ecabb9c36ad583ce9fb7fdde83502740N.exe	92
PID 752 wrote to memory of 208	752	ecabb9c36ad583ce9fb7fdde83502740N.exe	92
PID 208 wrote to memory of 2236	208	Mmdlflki.exe	93
PID 208 wrote to memory of 2236	208	Mmdlflki.exe	93
PID 208 wrote to memory of 2236	208	Mmdlflki.exe	93
PID 2236 wrote to memory of 1020	2236	Mjiloqjb.exe	94
PID 2236 wrote to memory of 1020	2236	Mjiloqjb.exe	94
PID 2236 wrote to memory of 1020	2236	Mjiloqjb.exe	94
PID 1020 wrote to memory of 1380	1020	Mmghklif.exe	95
PID 1020 wrote to memory of 1380	1020	Mmghklif.exe	95
PID 1020 wrote to memory of 1380	1020	Mmghklif.exe	95
PID 1380 wrote to memory of 3024	1380	Mhmmieil.exe	96
PID 1380 wrote to memory of 3024	1380	Mhmmieil.exe	96
PID 1380 wrote to memory of 3024	1380	Mhmmieil.exe	96
PID 3024 wrote to memory of 3460	3024	Mjkiephp.exe	97
PID 3024 wrote to memory of 3460	3024	Mjkiephp.exe	97
PID 3024 wrote to memory of 3460	3024	Mjkiephp.exe	97
PID 3460 wrote to memory of 4064	3460	Mmiealgc.exe	98
PID 3460 wrote to memory of 4064	3460	Mmiealgc.exe	98
PID 3460 wrote to memory of 4064	3460	Mmiealgc.exe	98
PID 4064 wrote to memory of 2212	4064	Maeaajpl.exe	99
PID 4064 wrote to memory of 2212	4064	Maeaajpl.exe	99
PID 4064 wrote to memory of 2212	4064	Maeaajpl.exe	99
PID 2212 wrote to memory of 3556	2212	Nmlafk32.exe	100
PID 2212 wrote to memory of 3556	2212	Nmlafk32.exe	100
PID 2212 wrote to memory of 3556	2212	Nmlafk32.exe	100
PID 3556 wrote to memory of 3624	3556	Ndejcemn.exe	102
PID 3556 wrote to memory of 3624	3556	Ndejcemn.exe	102
PID 3556 wrote to memory of 3624	3556	Ndejcemn.exe	102
PID 3624 wrote to memory of 1620	3624	Nfdfoala.exe	103
PID 3624 wrote to memory of 1620	3624	Nfdfoala.exe	103
PID 3624 wrote to memory of 1620	3624	Nfdfoala.exe	103
PID 1620 wrote to memory of 4940	1620	Nmnnlk32.exe	104
PID 1620 wrote to memory of 4940	1620	Nmnnlk32.exe	104
PID 1620 wrote to memory of 4940	1620	Nmnnlk32.exe	104
PID 4940 wrote to memory of 1820	4940	Ndhgie32.exe	105
PID 4940 wrote to memory of 1820	4940	Ndhgie32.exe	105
PID 4940 wrote to memory of 1820	4940	Ndhgie32.exe	105
PID 1820 wrote to memory of 3776	1820	Nhfoocaa.exe	106
PID 1820 wrote to memory of 3776	1820	Nhfoocaa.exe	106
PID 1820 wrote to memory of 3776	1820	Nhfoocaa.exe	106
PID 3776 wrote to memory of 1228	3776	Nkdlkope.exe	107
PID 3776 wrote to memory of 1228	3776	Nkdlkope.exe	107
PID 3776 wrote to memory of 1228	3776	Nkdlkope.exe	107
PID 1228 wrote to memory of 2568	1228	Npadcfnl.exe	108
PID 1228 wrote to memory of 2568	1228	Npadcfnl.exe	108
PID 1228 wrote to memory of 2568	1228	Npadcfnl.exe	108
PID 2568 wrote to memory of 4468	2568	Naqqmieo.exe	109
PID 2568 wrote to memory of 4468	2568	Naqqmieo.exe	109
PID 2568 wrote to memory of 4468	2568	Naqqmieo.exe	109
PID 4468 wrote to memory of 1688	4468	Okiefn32.exe	110
PID 4468 wrote to memory of 1688	4468	Okiefn32.exe	110
PID 4468 wrote to memory of 1688	4468	Okiefn32.exe	110
PID 1688 wrote to memory of 2184	1688	Omgabj32.exe	111
PID 1688 wrote to memory of 2184	1688	Omgabj32.exe	111
PID 1688 wrote to memory of 2184	1688	Omgabj32.exe	111
PID 2184 wrote to memory of 1172	2184	Oinbgk32.exe	112
PID 2184 wrote to memory of 1172	2184	Oinbgk32.exe	112
PID 2184 wrote to memory of 1172	2184	Oinbgk32.exe	112
PID 1172 wrote to memory of 3480	1172	Ophjdehd.exe	113
PID 1172 wrote to memory of 3480	1172	Ophjdehd.exe	113
PID 1172 wrote to memory of 3480	1172	Ophjdehd.exe	113
PID 3480 wrote to memory of 800	3480	Oiqomj32.exe	114

C:\Users\Admin\AppData\Local\Temp\ecabb9c36ad583ce9fb7fdde83502740N.exe
"C:\Users\Admin\AppData\Local\Temp\ecabb9c36ad583ce9fb7fdde83502740N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\SysWOW64\Mmdlflki.exe
  C:\Windows\system32\Mmdlflki.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\SysWOW64\Mjiloqjb.exe
    C:\Windows\system32\Mjiloqjb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\Mmghklif.exe
      C:\Windows\system32\Mmghklif.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Windows\SysWOW64\Mhmmieil.exe
        
        C:\Windows\system32\Mhmmieil.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
      - C:\Windows\SysWOW64\Mjkiephp.exe
        
        C:\Windows\system32\Mjkiephp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Mmiealgc.exe
        
        C:\Windows\system32\Mmiealgc.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Maeaajpl.exe
        
        C:\Windows\system32\Maeaajpl.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Nmlafk32.exe
        
        C:\Windows\system32\Nmlafk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Ndejcemn.exe
        
        C:\Windows\system32\Ndejcemn.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Nfdfoala.exe
        
        C:\Windows\system32\Nfdfoala.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Nmnnlk32.exe
        
        C:\Windows\system32\Nmnnlk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Ndhgie32.exe
        
        C:\Windows\system32\Ndhgie32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Nhfoocaa.exe
        
        C:\Windows\system32\Nhfoocaa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Nkdlkope.exe
        
        C:\Windows\system32\Nkdlkope.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Npadcfnl.exe
        
        C:\Windows\system32\Npadcfnl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Naqqmieo.exe
        
        C:\Windows\system32\Naqqmieo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Okiefn32.exe
        
        C:\Windows\system32\Okiefn32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Omgabj32.exe
        
        C:\Windows\system32\Omgabj32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Oinbgk32.exe
        
        C:\Windows\system32\Oinbgk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Ophjdehd.exe
        
        C:\Windows\system32\Ophjdehd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Oiqomj32.exe
        
        C:\Windows\system32\Oiqomj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Omlkmign.exe
        
        C:\Windows\system32\Omlkmign.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Windows\SysWOW64\Onngci32.exe
        
        C:\Windows\system32\Onngci32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Opmcod32.exe
        
        C:\Windows\system32\Opmcod32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Onqdhh32.exe
        
        C:\Windows\system32\Onqdhh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Opopdd32.exe
        
        C:\Windows\system32\Opopdd32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:660
        
        C:\Windows\SysWOW64\Paomog32.exe
        
        C:\Windows\system32\Paomog32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Pgkegn32.exe
        
        C:\Windows\system32\Pgkegn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Ppdjpcng.exe
        
        C:\Windows\system32\Ppdjpcng.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Pjlnhi32.exe
        
        C:\Windows\system32\Pjlnhi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Pdbbfadn.exe
        
        C:\Windows\system32\Pdbbfadn.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Pklkbl32.exe
        
        C:\Windows\system32\Pklkbl32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\Pgbkgmao.exe
        
        C:\Windows\system32\Pgbkgmao.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Pahpee32.exe
        
        C:\Windows\system32\Pahpee32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Qhbhapha.exe
        
        C:\Windows\system32\Qhbhapha.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Qkqdnkge.exe
        
        C:\Windows\system32\Qkqdnkge.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\SysWOW64\Qpmmfbfl.exe
        
        C:\Windows\system32\Qpmmfbfl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Qggebl32.exe
        
        C:\Windows\system32\Qggebl32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\Aamipe32.exe
        
        C:\Windows\system32\Aamipe32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\Agiahlkf.exe
        
        C:\Windows\system32\Agiahlkf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Aaofedkl.exe
        
        C:\Windows\system32\Aaofedkl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\Ahinbo32.exe
        
        C:\Windows\system32\Ahinbo32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Ababkdij.exe
        
        C:\Windows\system32\Ababkdij.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Akjgdjoj.exe
        
        C:\Windows\system32\Akjgdjoj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\Aqfolqna.exe
        
        C:\Windows\system32\Aqfolqna.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\Agqhik32.exe
        
        C:\Windows\system32\Agqhik32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\Aqilaplo.exe
        
        C:\Windows\system32\Aqilaplo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Addhbo32.exe
        
        C:\Windows\system32\Addhbo32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Akopoi32.exe
        
        C:\Windows\system32\Akopoi32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Bqkigp32.exe
        
        C:\Windows\system32\Bqkigp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\Bnoiqd32.exe
        
        C:\Windows\system32\Bnoiqd32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Bggnijof.exe
        
        C:\Windows\system32\Bggnijof.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Bgjjoi32.exe
        
        C:\Windows\system32\Bgjjoi32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Bbpolb32.exe
        
        C:\Windows\system32\Bbpolb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Bdnkhn32.exe
        
        C:\Windows\system32\Bdnkhn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\Bglgdi32.exe
        
        C:\Windows\system32\Bglgdi32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Bbbkbbkg.exe
        
        C:\Windows\system32\Bbbkbbkg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Bkjpkg32.exe
        
        C:\Windows\system32\Bkjpkg32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Cqghcn32.exe
        
        C:\Windows\system32\Cqghcn32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Cjomldfp.exe
        
        C:\Windows\system32\Cjomldfp.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Ceeaim32.exe
        
        C:\Windows\system32\Ceeaim32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\Calbnnkj.exe
        
        C:\Windows\system32\Calbnnkj.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Canocm32.exe
        
        C:\Windows\system32\Canocm32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\Ciefek32.exe
        
        C:\Windows\system32\Ciefek32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\Cjfclcpg.exe
        
        C:\Windows\system32\Cjfclcpg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Cnboma32.exe
        
        C:\Windows\system32\Cnboma32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Cbnknpqj.exe
        
        C:\Windows\system32\Cbnknpqj.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\Cigcjj32.exe
        
        C:\Windows\system32\Cigcjj32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Djipbbne.exe
        
        C:\Windows\system32\Djipbbne.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Dabhomea.exe
        
        C:\Windows\system32\Dabhomea.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\Dgmpkg32.exe
        
        C:\Windows\system32\Dgmpkg32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Daeddlco.exe
        
        C:\Windows\system32\Daeddlco.exe
        73⤵
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Dgomaf32.exe
        
        C:\Windows\system32\Dgomaf32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Dagajlal.exe
        
        C:\Windows\system32\Dagajlal.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Dgaiffii.exe
        
        C:\Windows\system32\Dgaiffii.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Dnkbcp32.exe
        
        C:\Windows\system32\Dnkbcp32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Dhcfleff.exe
        
        C:\Windows\system32\Dhcfleff.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Dalkek32.exe
        
        C:\Windows\system32\Dalkek32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Elaobdmm.exe
        
        C:\Windows\system32\Elaobdmm.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Enpknplq.exe
        
        C:\Windows\system32\Enpknplq.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Eldlhckj.exe
        
        C:\Windows\system32\Eldlhckj.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 412
        83⤵
        Program crash
        
        PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5392 -ip 5392
1⤵
PID:5456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4340,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:8
1⤵
PID:5492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bglgdi32.exe

Filesize
128KB

MD5
228bed27caf7ccf5baa011008d5899f4

SHA1
08b25ad86b49d1f00fec3d5bbd1c35b836481c56

SHA256
5d5f822b88f167743172abd47472e635a656f9e1f68f792f725a73d6a9194362

SHA512
009ced25a5d0833a13209e274fa93d09a2771138090094dd046636aecf2587973e1d03783eb61731733041f996bda72a58f1a2bc742f571f0c1aae33b5d5e1b8

Download Submit
C:\Windows\SysWOW64\Cjomldfp.exe

Filesize
128KB

MD5
4dc098c376248398c72c9db86bc08413

SHA1
80248262d0e14bdd370b3089427b21f8c5179f03

SHA256
eca58a728e4659a8b99f458d65c580ebd426cccf37bf1de19d3c838e255c1a5b

SHA512
955d7c96067ce7c22c411cca73e3539e456e6f1bd62d81cffbdd499c04a4946dfb4ab7c2f5b392ab0ae14f5b1feb5ff10a8d700b648436934819488448cb4366

Download Submit
C:\Windows\SysWOW64\Daeddlco.exe

Filesize
128KB

MD5
483890b03fabc3b00598336cf9610f13

SHA1
6b47381f46ca6c8668f3c9b46662e166ba9e65cf

SHA256
bee7731ba9aa1a91f78f30e4a7d0130e20be95624e3d971d79d79e9ab912dfb2

SHA512
22b123aef3c28e7106ce134db45c5f91161a99f3aec27a20a20728308458cd1e8307f43244c48c5d4dd47c184cc66c77af6b45a124dd940a4e6b26a6712cdefb

Download Submit
C:\Windows\SysWOW64\Dhcfleff.exe

Filesize
128KB

MD5
d5e84237fb1f90d8390fa95a316a1c1d

SHA1
e89403887d61e4a5c0220683560e63e656557c28

SHA256
6a8bc70176ba876571a26103f3793e4a88fc108c50b659bbaa048d1f83d56b56

SHA512
f5e426bad71d508f0b699882b27555f97804d236add0d3851712a7bfcf4026adb6c67aaf7ec10a5eea967a0e6b332aab1824f43401dc4df0bad254428b27c299

Download Submit
C:\Windows\SysWOW64\Ffpfcf32.dll

Filesize
7KB

MD5
0ad2fec9a15979974902d537e3d93862

SHA1
c695ddbcb098204890127fec38a5dd6ef2eab12c

SHA256
d43ad2ac678fce9823e2c943a5ffa29b64749e2b8a4f7a8b7ba251af31e10fd6

SHA512
00ee27887709f463e05a758a031f1a0773720473596010bad8ed5f332bf932bc42c1e3ca69bcafce295ebf5952e97f9b07ab3c413597d727ebf3d0e5b33dde79

Download Submit
C:\Windows\SysWOW64\Maeaajpl.exe

Filesize
128KB

MD5
1600fbde4fcca0a8a815c09e9cbe1826

SHA1
57f257144cc2bdd55b6f310ea21176f726892d42

SHA256
c1bb8035aff57d22731c1d3749ba846d8866fb8b1b36ecfd2fe1aab4f3d6e9db

SHA512
056fe7c5be4a815abc91f22bab087cf8534745b5f0bbf1db544eb09859458d8a420525092e1cb8010edb8f03d08515307376914b1b5040a3a7f91184efd08410

Download Submit
C:\Windows\SysWOW64\Mhmmieil.exe

Filesize
128KB

MD5
0c594b433399cff827d42e43fbbc43d6

SHA1
9ccd50417e95e2a58a50753f1ae5347097cbeb06

SHA256
b002d0fb98b6c1c0834af0e0d269e3bbcada3ecdd2fe4eb4d57d12cad4653eca

SHA512
3c8351e42411b262f457eec0f786bf6118c9c5dd00b611c8f785127249a25f6b7a4608e5b389151678d8628d7313be69c1213321eebf2793ce155d2d065e84ee

Download Submit
C:\Windows\SysWOW64\Mjiloqjb.exe

Filesize
128KB

MD5
79ac9cdec7fb9afa49937713af1092b5

SHA1
10d93f228746420da0b835b1e621c654ce5fa072

SHA256
ef6fffd87731dabd3a1761c8ecd22ea2fc5a045c6ba94043626bb121b8f49c32

SHA512
f939e8284c537a033a5362bfbb7506289d879c0b4638a4617f76d9b0d35dc9d8610f189964a7d6b0496e76c44d8c38960b88befb5f84e90dab2ec1a5dbfe7e15

Download Submit
C:\Windows\SysWOW64\Mjkiephp.exe

Filesize
128KB

MD5
eee5aedb2abd048e14e08b9dcb5f317b

SHA1
6d9ef10c19bdc2443e6ad9561371cb14aea8c634

SHA256
07c43685dc11d8737c987a69554513f1fc39210a90780dcfdbe362d8265727e4

SHA512
13583703c92695893954376a88cb342908fd86ace12b38a5c7383f8c46920ecf962edf49c5cb58590c9be087b29e0ede5f2053829cad6ab37eb03880683f4221

Download Submit
C:\Windows\SysWOW64\Mmdlflki.exe

Filesize
128KB

MD5
f91c58710cdcc51eb39d4ec0503ccf98

SHA1
0b9e1c65547fe8deb8c7af478d687c7ed6164a14

SHA256
63a4737afd979771ee2802a13bd6bd41129d6096327b1a9c1dba9a4b99fc6e6e

SHA512
c17f3cf7a4c57689f4b96bf99fa5e3e6041c6fa2b825cda626ce8fbf007869ad85e4fe7ccae70a941c9bf1b1209cce34db5b84cfecd4eb71543698d70a41f142

Download Submit
C:\Windows\SysWOW64\Mmghklif.exe

Filesize
128KB

MD5
0cbe8f3664b459651781b374d2d5633a

SHA1
ba4047a40c9291bb1d6de0ef6a60013b50b93ddd

SHA256
fe32e215d88f5da17a27476942722ddb5de9e579b150531498196117a1281023

SHA512
6ef124198a76e97cbb758d00a10ee254acb1ccf60d9511398c01ffabc6412483dcf3fbada03daf4c7ce6ff66765ce46ec329b588893d62a49068c3e365ab9086

Download Submit
C:\Windows\SysWOW64\Mmiealgc.exe

Filesize
128KB

MD5
b0bc5093b4765815f86cc7c9c55d7442

SHA1
e36db2bf0fb953c617aa919c7f9a15366c5d196f

SHA256
b76e17a8685c2ac98a153454166515b34918595f510cf171eeee41e8180bc822

SHA512
f23c6da20aa3924c1b22cc8b3848007f01d7e802aed58dddbbfac73f31f364e5885eb6cdde244ac2578cbd85ad4a2f49d70e52ccf0012f1534bc02a78929ddfe

Download Submit
C:\Windows\SysWOW64\Naqqmieo.exe

Filesize
128KB

MD5
32ca671b3459b34b7f8d210b52d2a8a0

SHA1
4889830c4c21b1e2c7e40e79295af4be98e507ee

SHA256
bc41223c9c5f1633a8021169712c9096d7576a85d4d6ac61fb90ab7ab6ad70f2

SHA512
aa471c84b1b36acdbcb05062b0b5202c0bd10092c1c188563b278a38b0240512ce00537cf1fd208bb4eb3d3ed6a38eb8322623d25bc0ddcf0e3cd0eff97bfa4c

Download Submit
C:\Windows\SysWOW64\Ndejcemn.exe

Filesize
128KB

MD5
391ac9b6486deef69b5efedd5c448a45

SHA1
d5e72292de65b1f4dd8d0ea66f945bbaacf29257

SHA256
652c5ab2ec4350739f7b2af6bc21e1800ec91a3f05934ae28c5f08ad95bec8fe

SHA512
35c06124a7d23a3f46f4b1db8fb533412da5757b91b99efbf46d6d97e932eee66e4f169f7180bad74ef3f782624a5a2aeb67d28817eb8ca4607142f8f637c1c5

Download Submit
C:\Windows\SysWOW64\Ndhgie32.exe

Filesize
128KB

MD5
094f7426edbb3dbf98b5c1716ce44954

SHA1
d024f4dd238f8d6c889e29c026f6d6d04c00ecab

SHA256
364161dbd64b9ab35020d3af184527ccdb395b9ff281605f393d41848be09884

SHA512
634089aa23574c5a05e76227758a7068af2fcadd4dcd72b45ae5fe7d0f1f7271c5d403ddda2f6890edebc9e99edc3ba5570c65ca3f5f1b1b12183ea82189c576

Download Submit
C:\Windows\SysWOW64\Nfdfoala.exe

Filesize
128KB

MD5
d87575afab7a8f831a38fb260741bd5f

SHA1
1215b7e084f15aaeab3eede52a19ecdf5a4d3315

SHA256
6ce5085b92016e7722225940fc31c69b6c367eff72b2a601a80f367d0ddd5e8b

SHA512
2fe66017eb1946a5f64960dd9f2f7858c78e16573df7488d90f871ba66dc2fb0305b683cfa0332a66a3cfb5cc4e10a33c70f1dc5fe1de6b605516f4a003f06c0

Download Submit
C:\Windows\SysWOW64\Nhfoocaa.exe

Filesize
128KB

MD5
ac841af9f12e674d56a2eb08c45a21fa

SHA1
e6d8daa67eb2eae1fb104c70f02d2dde03d47a67

SHA256
eac675fc5148cd53d1bf01e68ce7d976f7f1f5d8314b28df9752aa0c3a9fe67d

SHA512
e16ce2dac5ed6e4811f1f54b70bafbffdb92c009bb3c0f2bb2034248a36c41cc4b0bd299da696ba3a3f3c04d072e117dcb1900c17cd76d18ee7106e2aa24c5d5

Download Submit
C:\Windows\SysWOW64\Nkdlkope.exe

Filesize
128KB

MD5
c3a40ada2d6b845bb57413c1ca98d694

SHA1
c4e1aecde8b2e18f7b1ea9702390bf380228b9ee

SHA256
d756193c8999524bacd0c78e894aca6c3c07a473020fc1f461e571a56acd8b5d

SHA512
46f3feb70a02009de6c9a2586cd30827f934e4a3d9d4b140936497322dff35e2fc8256f84f43c4d30bca332e020ad24069df46f6cfe786e17abf033cf1d87780

Download Submit
C:\Windows\SysWOW64\Nmlafk32.exe

Filesize
128KB

MD5
d73cb4323c99fa9ef8aa0e8c67af4ced

SHA1
5b10517cfae3a68cf45c560ebf0d97b6f4e71987

SHA256
6290b257ea6d4c7a05f31efc9d0f2de36d5e70eb89bd80df97ab4fa62816ecb0

SHA512
c8b62c91236b97b99475298cba81b379c0984f739b20de3b497a41c3c11638c5ca05bc7d257b4a5ae49e0c62550225048e4b9a0d35ea71f170d3650e252902ef

Download Submit
C:\Windows\SysWOW64\Nmnnlk32.exe

Filesize
128KB

MD5
e8c3ea00e4b1211e8fd265aee7bfd3f1

SHA1
d9bee2ad35c7a9d4840fa49f37b8e955397bb3bb

SHA256
103cad38bf922d1ac0427f8645144ed816480f391510aacb166eea5e74f7c193

SHA512
d04bc31ecf03d7828bfc454eb70274061ba534be04d99e1f6df09db9a8973a3c3c6aa407a585a457ec7986c944a109ad30041e144df553192a509cecd5e49a48

Download Submit
C:\Windows\SysWOW64\Npadcfnl.exe

Filesize
128KB

MD5
81e99e25783f8b7ac2553a7c0c08c3c8

SHA1
fd1509cb40e91cc2b2c294d9d18c7b172604b9b2

SHA256
77681cee78d00816300d6cc9a9850d4f7814740c425c89ee0d483880195f8c8f

SHA512
16c7c886d9481a1063e805355fcf5c7387ace5bee80b813202c459e5d5f642b987f1822cf32104038f43bd2d05fbd94efaaffae3ad3fed8d06e3b6fd6cde5d79

Download Submit
C:\Windows\SysWOW64\Oinbgk32.exe

Filesize
128KB

MD5
8fee95454684c1e2e3170dbb4bc642ba

SHA1
206c65f5f9fb8af184ff0b1b7f0856ad21e68706

SHA256
966430a7089b2468a270336edefc62527b8046f932c1286daa5fde38c3396309

SHA512
0d37cff81ad5bbefaafaa3dcfc2db5022281b6af1d2e6341ecde0d061bfe6436040bf070effcf44d52f6c5f82106d2ff1892c5c1c853309e0bc07bec54f2ac8c

Download Submit
C:\Windows\SysWOW64\Oiqomj32.exe

Filesize
128KB

MD5
d5446fe08a0d9863011cea14b1e4708d

SHA1
6e6ef5b639daddf366a488ea65a6d7ad8fa2a2c2

SHA256
844c9b7faacd83d2b29ed54d2ab3b2a02b24437d65699da8c311f22a4dd31b5c

SHA512
94ce0856eb25e1d5b0f4bd862fb090484176ef7abfbe0c32e19f1491d83628d881062223ee27b00a6ea117f60f5325bec3b9967f4869fcb5cfefada57fae86e4

Download Submit
C:\Windows\SysWOW64\Okiefn32.exe

Filesize
128KB

MD5
b330ea2839ae236a0a41da6e7eb75996

SHA1
9aa6be16ef98a1363b59ab48edb2315a66ffd732

SHA256
430837b2bad320aa8f1253fa85e08ba69d57b48994a63a2201ea497af48c1ba3

SHA512
81c03852d85fd47c931e97346750699ed927bd00ef4a1ca5fdca0b3651d597f262f9a6631a5c0af8c3d40e0ded0843374504b45a971c6087634cf32dc47bf0a9

Download Submit
C:\Windows\SysWOW64\Omgabj32.exe

Filesize
128KB

MD5
ae2904ddf523523e91e579210b8ace11

SHA1
ae4a49328c30ddd5575bb517afa99900be3112e6

SHA256
2f7914c5c0d50003fa54bad39fe3d7ea7cb2e52f721baeab89e0f17370006a14

SHA512
33313086697938ea8ad2435c41d0257e91df3c873c15ad55f4d7b6e5e733c218c5eec758e9d730543e63a517b3a04ddb9d84c9adcfeac1276b7ace83c147c0db

Download Submit
C:\Windows\SysWOW64\Omlkmign.exe

Filesize
128KB

MD5
2963c4fd923ccd4f9d7c18fa8474b595

SHA1
6fd721c35e6c21494f89c3c8aed4868a111ba0d0

SHA256
85c71edbb71c511e9c147e13d8bd854734e7c6dacd1975b9bca344c20712cc84

SHA512
3d7ad76490088af6dabfde120c1062d73bc8b465742ee6df7c0cf93446f02a03fca2874f5ea101c1242a353b71838012052cc4e110c80b9fb6c8592a3dedc751

Download Submit
C:\Windows\SysWOW64\Onngci32.exe

Filesize
128KB

MD5
f64919de44617add67fdc40c9c08a471

SHA1
7f0cea3832100202237f19439afd7833e528637d

SHA256
3a9e2e917855d53f66dc7fcd6687b0ced1bdf49532005cff0d1f8b71d4cd576b

SHA512
8ffe584e41c28139043aaba16cee0f32c94388bc754b667ff2ff3717c8f1480617194cc09e36503675e039a8a3c822a241149db7e9ef06d7d4e92560f1f88284

Download Submit
C:\Windows\SysWOW64\Onqdhh32.exe

Filesize
128KB

MD5
66ee981e9f46afa5499ceb974328065f

SHA1
ddd39efe6998f9949d3b30775148d69751428d26

SHA256
f718d8a439dc2c7dc517fce0e6febacaf03ce1bb12f50ed84248723970060731

SHA512
d8a6d820b75b5878ca759b2c944c0dec247389f2111cde84b7d0ba810da50031ea9cffca647602acd9f05327139820050fe875d0f69fe536e512546d066a7833

Download Submit
C:\Windows\SysWOW64\Ophjdehd.exe

Filesize
128KB

MD5
2696ee4bf3322dfc6477c49f56951b31

SHA1
a202ca7ae7f3cee9a2f23efb61d44d8fe33ff23e

SHA256
19f6e170954775f6d4a27b70cf4adaa3a4247a4eb1b5c0ac2c403e45dcfb5971

SHA512
3b4b61662a12d6650e0447741f69e4339ecbab3dd63cf91d2d3f2eef38826a2c2ff0ca8de5b1750cc059e886e1dbe6bdd6f9e876d249449cd62480126ca727d8

Download Submit
C:\Windows\SysWOW64\Opmcod32.exe

Filesize
128KB

MD5
82a0d15ecff856340333fec5c62c2146

SHA1
18b6132d33bf8f305a8394e225779a1076b3cd9f

SHA256
1b777cad15c960ecdba070aded4251943882b8be8e3b231f73202b1358cd9ade

SHA512
281cd767e2cd36ad07b27ab65b963bb8285856e8e8190668ac42a5069df66d1d6e72aca30bc802375f4032fa70257b1c6a2e047a9670f426c93b1684051579b2

Download Submit
C:\Windows\SysWOW64\Opopdd32.exe

Filesize
128KB

MD5
7ac3cba8805d6e83feb2565a1edf1199

SHA1
88d11d5ca117f26c52c15aa460bd3ccacb969346

SHA256
a120e18d02260a6fff562fba7f13738e2a7fd033271c193157af5ccfbd9584ef

SHA512
8a99b07759f5be7b29b444e5eb1ca3e115d2e538d975f3d4f9a1facca3aaac08559e04fac0b958079216f341a0101b44b482007680c3f6b06fe9692369734287

Download Submit
C:\Windows\SysWOW64\Paomog32.exe

Filesize
128KB

MD5
a587c7d5ea64742666aff77227805586

SHA1
02a1f0bbd499961a74875c4e56ee9fe6a085704b

SHA256
dec34c874cfa8f7e367fb86fc23a5fc6b9263cccc42dd873def558f97b928f58

SHA512
985d9dfddcba6839234ab6a39b7e07ae48eea3071ea05a9daafcf98ddd2a720a2198ba55081b1f3d772ea93017fe676f6067a223e1121ef158b40feb09ad5a99

Download Submit
C:\Windows\SysWOW64\Pdbbfadn.exe

Filesize
128KB

MD5
d6e56284a64d84e6a563285133cfb976

SHA1
307ac9c6c37cf9cf1ca96ce5bc2289224a2f8a99

SHA256
bedc52aacb77c4fb64f779adcb62da635122cf2952a8502c95cf821f060116b4

SHA512
3431f119b1022a57251327a09ea42fd9bae09e9a69c9f14e207ea9a273feb5d431224c4274c1efaecf1af3052f4f5493b3544ee22a5baf29370ea4a099e1198d

Download Submit
C:\Windows\SysWOW64\Pgkegn32.exe

Filesize
128KB

MD5
c16c2512d3bae7322288ae77e2ea44c1

SHA1
c976b8619fb953a4062cddb3f117a1e13815550f

SHA256
20d180db40a6a221675170181e7e22719fa66ab646fbc6ecf923e589e388f648

SHA512
092c86f261b98080dd5b9b9e82cecdabf5b30ccbfa2d6d1f3054e20530c625043da1c9a6ef50968a76903b386e12a7269e55a918489ee6aa3f8d25956b58922b

Download Submit
C:\Windows\SysWOW64\Pjlnhi32.exe

Filesize
128KB

MD5
ea873578f5b6d748ee008bf3a0784a11

SHA1
d55c179a9e82f50abc566c15c69a92dc9b9d3fe1

SHA256
4a60d741e3f7f219aefbfd44ed26d927d3a774c098fe7457e4591e067a363e5e

SHA512
da95c331674ffc51131aafd96b9b31bf111d556166c5d56873d6b4b970f80aa4eecffcad1d7871675e9e45138af468dcae7178987ccb7a1e05e37699d72a7523

Download Submit
C:\Windows\SysWOW64\Pklkbl32.exe

Filesize
128KB

MD5
ae944272332480bf2ec7a1e0d9fab993

SHA1
989ce1d15673e9a8182591bdd1e7ed14ed5f59b5

SHA256
3cce0553d2cab4bceddf5a421f118d67a65e5d765b5876caa77e443252c3ba7d

SHA512
bd731444a6e722ca5da330c6b6e712815fd94ebf9c0a2cab0cca324caefbb81d9d7d83a8f6b84bba9bca7af1585bf6ef11fb1d7af21685640f7fe1d86edacb66

Download Submit
C:\Windows\SysWOW64\Ppdjpcng.exe

Filesize
128KB

MD5
465a38d0a2c2fda7ea8b4be880d609d8

SHA1
fa463e6247608e62e027b65c43fad478abc22441

SHA256
87739d9f4434422f004b6ff6bf8f6a0fbedf6130c0e0ebcc63f27034be43f0ed

SHA512
4b6f2d1ed0c1ff972a88428fdaba6e5807d707977e944125af809b07d5c82ec9489b48f048cd0a446d41a07820a61df2a2f9d0c8d390c3a809b5ce519d7d81ef

Download Submit
memory/208-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/208-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/212-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/212-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/380-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/380-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/440-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/440-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/660-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/660-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/752-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/752-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/800-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/800-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/944-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/944-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1020-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1072-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1072-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1172-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1172-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1204-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1204-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1380-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1380-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-391-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1820-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1820-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1980-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2080-392-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2164-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2164-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2184-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2184-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2212-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2212-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3024-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3024-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3128-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3128-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3352-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3376-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3376-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3480-182-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3556-76-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3616-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3616-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3688-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3708-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3708-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3740-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3776-203-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3776-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4060-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4060-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-409-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4264-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4264-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-331-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-381-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads