5a64dc990a96de77d1d37a47157895d37f7b31ae17ee090fb92d1953603052a0

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 21:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5a64dc990a96de77d1d37a47157895d37f7b31ae17ee090fb92d1953603052a0.exe
Size

94KB
MD5

3a6cfad632e92f39b8aef5f3378cf8d2
SHA1

7aa6354776f55de715c5a7503f4b877b70842be4
SHA256

5a64dc990a96de77d1d37a47157895d37f7b31ae17ee090fb92d1953603052a0
SHA512

81064d960d60e88b26aeea90a6cdeeaf28f2846934a9e6fdf9bc248aaa45840ba98d9d4884d6689d0dc44389d3ceade211000be20875e8c915153103f435ba7a
SSDEEP

1536:z7z3y4/2MduETEKSxe8mpWgdaMQIQqj+FLPY2RLfCEMqOPkAsS37hFnqy7kxeLtD:z7z3yM2MAEAKSxe1pWgMMQXqqS2oPkAZ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mociol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mllccpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ooangh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qejfkmem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlqloo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oooaah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnnianm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okolfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfdgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Memalfcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjckkcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokanf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlemcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlgjhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbdkhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5a64dc990a96de77d1d37a47157895d37f7b31ae17ee090fb92d1953603052a0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moefdljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmeoqlpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omcbkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Memalfcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjdki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odbgdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oohkai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooangh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdbnmbhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjckkcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mklfjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mepnaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mklfjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkapelka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbngeadf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdbnmbhj.exe

Executes dropped EXE 64 IoCs

pid	Process
1916	Mlemcq32.exe
4708	Mociol32.exe
2836	Memalfcb.exe
1104	Mdpagc32.exe
1784	Mlgjhp32.exe
2960	Moefdljc.exe
1776	Mepnaf32.exe
648	Mdbnmbhj.exe
3120	Mlifnphl.exe
4304	Mklfjm32.exe
1172	Mllccpfj.exe
5108	Mkocol32.exe
2564	Mdghhb32.exe
4024	Nkapelka.exe
1728	Nefdbekh.exe
4400	Nlqloo32.exe
620	Ncjdki32.exe
4120	Ndlacapp.exe
832	Noaeqjpe.exe
4452	Ncmaai32.exe
376	Ndnnianm.exe
4532	Nconfh32.exe
3564	Ndpjnq32.exe
4044	Nkjckkcg.exe
4824	Nbdkhe32.exe
3212	Odbgdp32.exe
3316	Oljoen32.exe
3180	Oohkai32.exe
3080	Odedipge.exe
1660	Okolfj32.exe
2020	Ocfdgg32.exe
5008	Ohcmpn32.exe
3092	Oomelheh.exe
3428	Ofgmib32.exe
1092	Oooaah32.exe
464	Obnnnc32.exe
5000	Ofijnbkb.exe
960	Omcbkl32.exe
4528	Ooangh32.exe
2328	Obpkcc32.exe
4564	Pijcpmhc.exe
2964	Pmeoqlpl.exe
3780	Pbbgicnd.exe
4568	Pfncia32.exe
2872	Pmhkflnj.exe
2316	Pbddobla.exe
2784	Piolkm32.exe
3916	Poidhg32.exe
2672	Peempn32.exe
1516	Pokanf32.exe
2512	Pbimjb32.exe
3536	Pehjfm32.exe
2552	Pkabbgol.exe
3652	Pomncfge.exe
3208	Qejfkmem.exe
4988	Qkdohg32.exe
4900	Qbngeadf.exe
3608	Qihoak32.exe
4424	Qkfkng32.exe
4744	Aflpkpjm.exe
4128	Amfhgj32.exe
4968	Acppddig.exe
4888	Afnlpohj.exe
4064	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Odedipge.exe	Oohkai32.exe
File created	C:\Windows\SysWOW64\Ocfdgg32.exe	Okolfj32.exe
File opened for modification	C:\Windows\SysWOW64\Obpkcc32.exe	Ooangh32.exe
File created	C:\Windows\SysWOW64\Ofaqkhem.dll	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Jjigocdh.dll	Mlgjhp32.exe
File opened for modification	C:\Windows\SysWOW64\Mdbnmbhj.exe	Mepnaf32.exe
File created	C:\Windows\SysWOW64\Oimlepla.dll	Nkapelka.exe
File created	C:\Windows\SysWOW64\Ngkpgkbd.dll	Ndlacapp.exe
File opened for modification	C:\Windows\SysWOW64\Nconfh32.exe	Ndnnianm.exe
File created	C:\Windows\SysWOW64\Ndpjnq32.exe	Nconfh32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjckkcg.exe	Ndpjnq32.exe
File opened for modification	C:\Windows\SysWOW64\Nbdkhe32.exe	Nkjckkcg.exe
File opened for modification	C:\Windows\SysWOW64\Mdpagc32.exe	Memalfcb.exe
File created	C:\Windows\SysWOW64\Caekaaoh.dll	Mepnaf32.exe
File created	C:\Windows\SysWOW64\Mllccpfj.exe	Mklfjm32.exe
File created	C:\Windows\SysWOW64\Nkapelka.exe	Mdghhb32.exe
File opened for modification	C:\Windows\SysWOW64\Omcbkl32.exe	Ofijnbkb.exe
File created	C:\Windows\SysWOW64\Ghnkilod.dll	Ooangh32.exe
File created	C:\Windows\SysWOW64\Clpkdlkd.dll	Obpkcc32.exe
File created	C:\Windows\SysWOW64\Kkpdnm32.dll	Peempn32.exe
File created	C:\Windows\SysWOW64\Cfioldni.dll	Mdbnmbhj.exe
File opened for modification	C:\Windows\SysWOW64\Mllccpfj.exe	Mklfjm32.exe
File opened for modification	C:\Windows\SysWOW64\Ndnnianm.exe	Ncmaai32.exe
File created	C:\Windows\SysWOW64\Ohpcjnil.dll	Ofgmib32.exe
File created	C:\Windows\SysWOW64\Cdghfg32.dll	Mociol32.exe
File created	C:\Windows\SysWOW64\Ooangh32.exe	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Pijcpmhc.exe	Obpkcc32.exe
File opened for modification	C:\Windows\SysWOW64\Qbngeadf.exe	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Opepqban.dll	Qkfkng32.exe
File opened for modification	C:\Windows\SysWOW64\Mlemcq32.exe	5a64dc990a96de77d1d37a47157895d37f7b31ae17ee090fb92d1953603052a0.exe
File created	C:\Windows\SysWOW64\Nconfh32.exe	Ndnnianm.exe
File created	C:\Windows\SysWOW64\Pbbgicnd.exe	Pmeoqlpl.exe
File created	C:\Windows\SysWOW64\Nonhbi32.dll	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Ecdleo32.dll	Nefdbekh.exe
File created	C:\Windows\SysWOW64\Omcbkl32.exe	Ofijnbkb.exe
File created	C:\Windows\SysWOW64\Pmeoqlpl.exe	Pijcpmhc.exe
File opened for modification	C:\Windows\SysWOW64\Poidhg32.exe	Piolkm32.exe
File created	C:\Windows\SysWOW64\Ncjdki32.exe	Nlqloo32.exe
File opened for modification	C:\Windows\SysWOW64\Obnnnc32.exe	Oooaah32.exe
File created	C:\Windows\SysWOW64\Iilpao32.dll	Qihoak32.exe
File opened for modification	C:\Windows\SysWOW64\Afnlpohj.exe	Acppddig.exe
File created	C:\Windows\SysWOW64\Bhalpn32.dll	Mlemcq32.exe
File created	C:\Windows\SysWOW64\Mklfjm32.exe	Mlifnphl.exe
File created	C:\Windows\SysWOW64\Meghme32.dll	Mklfjm32.exe
File created	C:\Windows\SysWOW64\Nfoceoni.dll	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Dfhegp32.dll	Oohkai32.exe
File created	C:\Windows\SysWOW64\Pgoikbje.dll	Oomelheh.exe
File created	C:\Windows\SysWOW64\Qkdohg32.exe	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Mdbnmbhj.exe	Mepnaf32.exe
File created	C:\Windows\SysWOW64\Ckmpakdh.dll	Ncjdki32.exe
File created	C:\Windows\SysWOW64\Nkjckkcg.exe	Ndpjnq32.exe
File opened for modification	C:\Windows\SysWOW64\Odbgdp32.exe	Nbdkhe32.exe
File opened for modification	C:\Windows\SysWOW64\Ndlacapp.exe	Ncjdki32.exe
File opened for modification	C:\Windows\SysWOW64\Pbimjb32.exe	Pokanf32.exe
File created	C:\Windows\SysWOW64\Gckjdhni.dll	Aflpkpjm.exe
File created	C:\Windows\SysWOW64\Fddogn32.dll	Piolkm32.exe
File opened for modification	C:\Windows\SysWOW64\Amfhgj32.exe	Aflpkpjm.exe
File created	C:\Windows\SysWOW64\Moefdljc.exe	Mlgjhp32.exe
File opened for modification	C:\Windows\SysWOW64\Moefdljc.exe	Mlgjhp32.exe
File created	C:\Windows\SysWOW64\Oohkai32.exe	Oljoen32.exe
File opened for modification	C:\Windows\SysWOW64\Okolfj32.exe	Odedipge.exe
File opened for modification	C:\Windows\SysWOW64\Pkabbgol.exe	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Ipdkapdh.dll	5a64dc990a96de77d1d37a47157895d37f7b31ae17ee090fb92d1953603052a0.exe
File opened for modification	C:\Windows\SysWOW64\Mlifnphl.exe	Mdbnmbhj.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poidhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbimjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkdohg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acppddig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moefdljc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomelheh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofijnbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbdkhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noaeqjpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmaai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odedipge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okolfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomncfge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mklfjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllccpfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlqloo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nefdbekh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbbgicnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peempn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlgjhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obpkcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdbnmbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijcpmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlemcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nconfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmeoqlpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpjnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkocol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odbgdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mociol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjckkcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qejfkmem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mepnaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlifnphl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcbkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhkflnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qihoak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdpagc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oooaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooangh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Memalfcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkapelka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnnnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfncia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a64dc990a96de77d1d37a47157895d37f7b31ae17ee090fb92d1953603052a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjdki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndlacapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcmpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnnianm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oljoen32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhmbdka.dll"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qejfkmem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mllccpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odbgdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mociol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mklfjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oohkai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqgpnjq.dll"	Pfncia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Poidhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijbed32.dll"	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odbgdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qbngeadf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Noaeqjpe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbdkhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miiepfpf.dll"	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofbkbfe.dll"	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkeki32.dll"	Mlifnphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mllccpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjonchmn.dll"	Nlqloo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omclnn32.dll"	Ndnnianm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmole32.dll"	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	5a64dc990a96de77d1d37a47157895d37f7b31ae17ee090fb92d1953603052a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daphho32.dll"	Noaeqjpe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlifnphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkacdofa.dll"	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Peempn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mepnaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfoceoni.dll"	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conllp32.dll"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhmeii32.dll"	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgoikbje.dll"	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flekgd32.dll"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nefdbekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omcbkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balodg32.dll"	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddogn32.dll"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckjdhni.dll"	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oljoen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkamckh.dll"	Poidhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlemcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qihoak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmeoqlpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlqloo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Okolfj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 1916	4672	5a64dc990a96de77d1d37a47157895d37f7b31ae17ee090fb92d1953603052a0.exe	90
PID 4672 wrote to memory of 1916	4672	5a64dc990a96de77d1d37a47157895d37f7b31ae17ee090fb92d1953603052a0.exe	90
PID 4672 wrote to memory of 1916	4672	5a64dc990a96de77d1d37a47157895d37f7b31ae17ee090fb92d1953603052a0.exe	90
PID 1916 wrote to memory of 4708	1916	Mlemcq32.exe	91
PID 1916 wrote to memory of 4708	1916	Mlemcq32.exe	91
PID 1916 wrote to memory of 4708	1916	Mlemcq32.exe	91
PID 4708 wrote to memory of 2836	4708	Mociol32.exe	92
PID 4708 wrote to memory of 2836	4708	Mociol32.exe	92
PID 4708 wrote to memory of 2836	4708	Mociol32.exe	92
PID 2836 wrote to memory of 1104	2836	Memalfcb.exe	93
PID 2836 wrote to memory of 1104	2836	Memalfcb.exe	93
PID 2836 wrote to memory of 1104	2836	Memalfcb.exe	93
PID 1104 wrote to memory of 1784	1104	Mdpagc32.exe	94
PID 1104 wrote to memory of 1784	1104	Mdpagc32.exe	94
PID 1104 wrote to memory of 1784	1104	Mdpagc32.exe	94
PID 1784 wrote to memory of 2960	1784	Mlgjhp32.exe	95
PID 1784 wrote to memory of 2960	1784	Mlgjhp32.exe	95
PID 1784 wrote to memory of 2960	1784	Mlgjhp32.exe	95
PID 2960 wrote to memory of 1776	2960	Moefdljc.exe	97
PID 2960 wrote to memory of 1776	2960	Moefdljc.exe	97
PID 2960 wrote to memory of 1776	2960	Moefdljc.exe	97
PID 1776 wrote to memory of 648	1776	Mepnaf32.exe	98
PID 1776 wrote to memory of 648	1776	Mepnaf32.exe	98
PID 1776 wrote to memory of 648	1776	Mepnaf32.exe	98
PID 648 wrote to memory of 3120	648	Mdbnmbhj.exe	99
PID 648 wrote to memory of 3120	648	Mdbnmbhj.exe	99
PID 648 wrote to memory of 3120	648	Mdbnmbhj.exe	99
PID 3120 wrote to memory of 4304	3120	Mlifnphl.exe	100
PID 3120 wrote to memory of 4304	3120	Mlifnphl.exe	100
PID 3120 wrote to memory of 4304	3120	Mlifnphl.exe	100
PID 4304 wrote to memory of 1172	4304	Mklfjm32.exe	101
PID 4304 wrote to memory of 1172	4304	Mklfjm32.exe	101
PID 4304 wrote to memory of 1172	4304	Mklfjm32.exe	101
PID 1172 wrote to memory of 5108	1172	Mllccpfj.exe	102
PID 1172 wrote to memory of 5108	1172	Mllccpfj.exe	102
PID 1172 wrote to memory of 5108	1172	Mllccpfj.exe	102
PID 5108 wrote to memory of 2564	5108	Mkocol32.exe	104
PID 5108 wrote to memory of 2564	5108	Mkocol32.exe	104
PID 5108 wrote to memory of 2564	5108	Mkocol32.exe	104
PID 2564 wrote to memory of 4024	2564	Mdghhb32.exe	105
PID 2564 wrote to memory of 4024	2564	Mdghhb32.exe	105
PID 2564 wrote to memory of 4024	2564	Mdghhb32.exe	105
PID 4024 wrote to memory of 1728	4024	Nkapelka.exe	106
PID 4024 wrote to memory of 1728	4024	Nkapelka.exe	106
PID 4024 wrote to memory of 1728	4024	Nkapelka.exe	106
PID 1728 wrote to memory of 4400	1728	Nefdbekh.exe	107
PID 1728 wrote to memory of 4400	1728	Nefdbekh.exe	107
PID 1728 wrote to memory of 4400	1728	Nefdbekh.exe	107
PID 4400 wrote to memory of 620	4400	Nlqloo32.exe	108
PID 4400 wrote to memory of 620	4400	Nlqloo32.exe	108
PID 4400 wrote to memory of 620	4400	Nlqloo32.exe	108
PID 620 wrote to memory of 4120	620	Ncjdki32.exe	109
PID 620 wrote to memory of 4120	620	Ncjdki32.exe	109
PID 620 wrote to memory of 4120	620	Ncjdki32.exe	109
PID 4120 wrote to memory of 832	4120	Ndlacapp.exe	110
PID 4120 wrote to memory of 832	4120	Ndlacapp.exe	110
PID 4120 wrote to memory of 832	4120	Ndlacapp.exe	110
PID 832 wrote to memory of 4452	832	Noaeqjpe.exe	111
PID 832 wrote to memory of 4452	832	Noaeqjpe.exe	111
PID 832 wrote to memory of 4452	832	Noaeqjpe.exe	111
PID 4452 wrote to memory of 376	4452	Ncmaai32.exe	113
PID 4452 wrote to memory of 376	4452	Ncmaai32.exe	113
PID 4452 wrote to memory of 376	4452	Ncmaai32.exe	113
PID 376 wrote to memory of 4532	376	Ndnnianm.exe	114

C:\Users\Admin\AppData\Local\Temp\5a64dc990a96de77d1d37a47157895d37f7b31ae17ee090fb92d1953603052a0.exe
"C:\Users\Admin\AppData\Local\Temp\5a64dc990a96de77d1d37a47157895d37f7b31ae17ee090fb92d1953603052a0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Windows\SysWOW64\Mlemcq32.exe
  C:\Windows\system32\Mlemcq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\Mociol32.exe
    C:\Windows\system32\Mociol32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Windows\SysWOW64\Memalfcb.exe
      C:\Windows\system32\Memalfcb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - C:\Windows\SysWOW64\Mlgjhp32.exe
        
        C:\Windows\system32\Mlgjhp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Mepnaf32.exe
        
        C:\Windows\system32\Mepnaf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Mllccpfj.exe
        
        C:\Windows\system32\Mllccpfj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Nefdbekh.exe
        
        C:\Windows\system32\Nefdbekh.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
1⤵
PID:5320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amfhgj32.exe

Filesize
94KB

MD5
b2ad65e84758da463ec2c6e571a9d22f

SHA1
bbde0edbf8cdef33cfa31195e6450a3527068c52

SHA256
12bda35607ea122fbce3fda5682908d981625a83e90943a3fcd66b496c08a4a4

SHA512
2d2d11fade896e7927d1d8e3b34803c74630832ef7a11c837d4a17aaf63a5188090d09f11b30714b63a47e50249c791cbc54b4a3e82e270febaf9433bc44e779

Download Submit
C:\Windows\SysWOW64\Balodg32.dll

Filesize
7KB

MD5
9b12f42d892eb9292a798c3cc61fd10e

SHA1
22ef84f213f35f6d3aa0661669c27be38464c498

SHA256
ca17b0ac9849ea24efbc25c88cfcf4e59d44a6bb2db4ab0ed31d6b1541eb079c

SHA512
f3f18d528b9facd49e448211c7d489661ca0e969db74acbbd5230c110812295ff869e554c57f50382c2c3face8934cac95985cd59fdc5b25044090b6d0fa575b

Download Submit
C:\Windows\SysWOW64\Mdbnmbhj.exe

Filesize
94KB

MD5
0a6e3de5a2b52deb37af4ebf79a4b0c5

SHA1
a5554882a2df7af453d9dcbb0fc3d534799d4537

SHA256
e3688d0252580f982ea3c3550555bbe67b73551edb59aeacebede704ff70f940

SHA512
ef8d1ea9b42c36a63a859ebe364b637182501d1583e090f6dc716d9c8cd909dd083ffdbb8f0fb1e02a658fb7c1fbcebf7c7db5646d3b1572a8b63233000bf4c9

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
94KB

MD5
a842a4d4fb1295c814b2cff697da202b

SHA1
8070364369d8b52f228c9bec5f441704a144682d

SHA256
a78d79164eda7eeb32dc729a248d0ee457f7b092bbf8e2a47202265fce4d72e3

SHA512
b8517faeafd853a60ddd84e0a7ce9c978699e907e71e0af5f152c91b9f3e55439262a74069b3ff1feff9fd57a82196ea61a2d03fe8f3138b03da711e9b902ff9

Download Submit
C:\Windows\SysWOW64\Mdpagc32.exe

Filesize
94KB

MD5
07fd2618214a2c6c5c0a75c023f23c62

SHA1
dc6e91519beb44590385628329db55f25830b624

SHA256
a8af4ba82b023ae1225696e420f45ff543857ce90521ab341f357fd49949c43d

SHA512
3f779b2a290a786c3bdec1172ddacf597a0e04d8ac7be8037ba21ccbb5871e81bf34641e456c6effd69762d05cbcc50afc20cffd8d463013845bda58c96e95a1

Download Submit
C:\Windows\SysWOW64\Memalfcb.exe

Filesize
94KB

MD5
b6cd4ccbd5599074812e3e6227e10d96

SHA1
39933dbe0469089a7681d41996a95f98626fe58a

SHA256
204206b5597731e6120211b62eda33eb531798b4a448fb7747e1e048582cd5f1

SHA512
a307cc01ad89feaca32492891582ddcbff8a50fc9a5e3d64ddd25bda907f48ad16428775430c503f84af327648a0d9d9f2626cf0659aa0ccf655ce2251697342

Download Submit
C:\Windows\SysWOW64\Mepnaf32.exe

Filesize
94KB

MD5
cabc68eb50a5de63b0c0d9dd644e65bd

SHA1
2fb05eeae5c4fdd40b9454921f6a7c2696062b11

SHA256
53ff3cbf12f12cadb64ab174288c9ce73db925f507bb94b7f346800f113a96e5

SHA512
73c9d20ab94f510c5cc8d3890fdda5f61a78fbab20d8c7e024a595f412b3fbf4c9b6ef6432ab581082ed6ee3eeb89a4eff41c665625d1c3f72df9a0b42cd0298

Download Submit
C:\Windows\SysWOW64\Mklfjm32.exe

Filesize
94KB

MD5
0030db236299fd5c2b06d0a2ffb0a22a

SHA1
edc2aa0c154a58230ab27f01b69bd551dbca91e5

SHA256
5c51153b1af42f6592de07bc28cc6d4dab505e24899a9cd1bb2c63eba66a2606

SHA512
7b86980cf5894c4bca858f4ac2f66a5ff64af275bfa8d489a5352c949616dc65c5870e2dbb4a955ce93b41215e2dedc488cbbad9beef4a822fd6fcf4832934db

Download Submit
C:\Windows\SysWOW64\Mkocol32.exe

Filesize
94KB

MD5
d65ce125d5064e87c7a8eb55333a4530

SHA1
a20af754aaf6783c39270d3f5eac2710100db445

SHA256
ca3a3147b05742e2fb48215581dcee21a03186e905401e5c518f627871edf851

SHA512
63f72f10012f3b2321b2840eca099f5ce4ea6cc2879eff38321d84de3b354260927ad4219d3ee438c576892e9353f81fdcc1f993e1e6917e72cce4d3365a6617

Download Submit
C:\Windows\SysWOW64\Mlemcq32.exe

Filesize
94KB

MD5
7c0e1f43030c2acd7eb072ca09615536

SHA1
e3f39218154c0704b6ae5286df9a7635c0c6c7bd

SHA256
43a0d84fbd5f403ea651a123512305a35d310e2a0618805f1e98034ffed7c982

SHA512
316040891ba53d02b6a65fb54ba26b8bea61f06a492ea97cdb13fd0e6da2e5922328643440a4a4542698dfe57183fa76effe3f45fb5a1feaa078f1ece8cee60f

Download Submit
C:\Windows\SysWOW64\Mlgjhp32.exe

Filesize
94KB

MD5
293daeed06b53cec5920e71b9b61ec55

SHA1
2938d0af9669c6b60182ad57214c8db3fd506440

SHA256
cdc11e8174aff2dcfea91dcd6e12bf1f1ce540ff849cc8717faf668d17c23d11

SHA512
b1e95e5e76787735a5003f47d3941d98b57eda1285d78bfd09c9f4c00179759be904e6bc2a739e566e96878d0d5d452bbee72bf19c41ba2c11be1e7fa28bad9b

Download Submit
C:\Windows\SysWOW64\Mlifnphl.exe

Filesize
94KB

MD5
9c009e661e54ea7460eeba967b5c7040

SHA1
997eefb2619158b163181c385970903b1f64d159

SHA256
5feba1c12f193f5cb38ca2eaf1b4e6351e598fa8974f5da6544a620b896b8bab

SHA512
f1cda05d7be6d3c1d1b0e50556f758e2f48fbf0c89b5cbba650a2ab7566af348f9e9afd603406140aa0486312232f6c3b7c1a5aafa3d8646074075f1c25fff87

Download Submit
C:\Windows\SysWOW64\Mllccpfj.exe

Filesize
94KB

MD5
39bdad64c6eb7eb07b3959b39684ad2e

SHA1
19f4d573164bf856d95c5a72444fc261ffd09430

SHA256
ff03cd2c0686d1634d3e5d9fa3cf8001cd6648d92ca1e8026c89b381cbdb59f9

SHA512
1ee7d1d2e1c4f1ad96ab41dec542d4019ed76405bb38b8082ec561ac9bce5d00473d92a6bd2f8d9032ea396b86c1e1386778a36e4d5141a477030ece72da8804

Download Submit
C:\Windows\SysWOW64\Mociol32.exe

Filesize
94KB

MD5
1080b3944c88c485c93ea5db58a31b5b

SHA1
7e616d0eeb5ad01ed90a8bdf9ad3dd9b18a0e54f

SHA256
f0b59cf141fae00dc8e7b4788aa733c3358ceda7205f59cbf25c8642484b90f7

SHA512
ad233a008f18aaf922b0304ef1da6d26a39d25da084068dabaae42ff77aff871897ea3cb5cbfc372ff1a3ef53651bc02f8dbbbfc5b6d12aa51918d57657d13bb

Download Submit
C:\Windows\SysWOW64\Moefdljc.exe

Filesize
94KB

MD5
00b289a6e2e28c20340cdf4605e22b5d

SHA1
5693f77000b26dad35905b7f2ee18c9300654c5e

SHA256
90005767aaee60723d4b218bca5a0303f5c36c913a7e71b0f836ad519e5a3a14

SHA512
24d32011f8b645ef5fe2c666de7cf8daada5cd3aeae0fb41f0339655a38d2a2bfc18c39f7c2125ff8190d1507af29ca0340c28797c40025b51d95754418755ad

Download Submit
C:\Windows\SysWOW64\Nbdkhe32.exe

Filesize
94KB

MD5
8d573b5132dcd92b623a9e079ab7b227

SHA1
bc304f630af2e72c255d501c4ab76ec63673dee2

SHA256
ded7771d7ebadd688d034b4d5fd208a7b6002ec5d6b35aab577b2b13ec65f235

SHA512
449a98a35fd8852d423a432cb87674d30fdd7be51d1d5fa4ae1af70b2300abd1f7a72357a3d32f21bf06cbbc2a98c8b7b9ffd29c73c3be154279d5fb24a69171

Download Submit
C:\Windows\SysWOW64\Ncjdki32.exe

Filesize
94KB

MD5
138c211823b65c1ffb2055256c7052ee

SHA1
31a87369cf487273274166551ceb19c3b0066cf5

SHA256
9b687512a8dda45aae4a741c9d02c55a6ac7e63e8d768154bf75e1db8cd4838a

SHA512
a54d765d9cae2ff76350083e6f87049afece8e0e54c4bbf4ecefb01ef61645d931fa8dcc209f97c712d2a782febd3bdff58c59889dd9fe22ea8c2813632a4c74

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
94KB

MD5
fd954815885dc0594b18cf6b0ec8f2e4

SHA1
923061ce3a56764c2cd3827264ad8f136cf2b831

SHA256
a39479d3ec707968861a5e767f170eb5f5e7d55000b3e4e39828f1838ea99d9b

SHA512
5fc01a47a7e8ad73ec442a16065be1c4fa8f7615883aacee77236379ea7d0fd88e7ff3b17815fd82ab57be6025c01ad1d4bb9c8106ae81d49b7889dc0a68e723

Download Submit
C:\Windows\SysWOW64\Nconfh32.exe

Filesize
94KB

MD5
fbc9803b76338e0c492cf45e001bc82d

SHA1
2c4233dffc674c87d14552e552bcfec66749a078

SHA256
929e52297b9abad685594313617e0af65d16d290d6b50efd00184e3b1eb8e230

SHA512
0729db90e202acb7dc15ca3acb4b78cbf7fb80763a8302a30b2758c289e912adbbe6786365d28c60423376f786f31e0e5fea4945c8e8b15f992455a7bb8d476a

Download Submit
C:\Windows\SysWOW64\Ndlacapp.exe

Filesize
94KB

MD5
3206a68b5270a9f4c113611470b7872b

SHA1
8c8995d10edb0d7766168f76e3d2841c2cfeeb1d

SHA256
0fd16c23947f5d640c1f05665fc56ecb0335747eb9f5c77526c2ac08b2943673

SHA512
6b8ed26a1fc4f0fc5d47663b1da22ac6ea3f5ef3f58948c8eccd673e802fc72eb325ed33357f179ca397c8f759d256417887e5047e4783716522cd7ff04f32be

Download Submit
C:\Windows\SysWOW64\Ndnnianm.exe

Filesize
94KB

MD5
91192fbb7e31c875010daf1ede0165ca

SHA1
32d7d84ea34c70f052ffef3bdad97f5f6f0d06a4

SHA256
10ce79604e39a465d6a95da7958d4f80eb88fa42f7e4d5ee70d2800893ee7c1d

SHA512
049cda7699316e3d69575bea02ecdbd121d027cbb50592ea5f8beb3f695741d1fd65eaf40dad32be747c78d01eb86ff2c7810a4917bec1235278705056e7aadd

Download Submit
C:\Windows\SysWOW64\Ndpjnq32.exe

Filesize
94KB

MD5
96ab8a9bf44e91061a0d4f75776661b2

SHA1
6fceb7dfffa52c59ae680bc3cce927bc4947aed5

SHA256
3ed0a75ecc93b5023e588ff60ad8d8d6fe7da5ce9efab265b625762940ea6b6a

SHA512
402a63a57066e15c0cb670199cb475b935414c523261123856ba31fca8274a6276c13c583c3cff0bbc4e9d8a056f4d70a9bcf7d8cae31ac2dfdccb2bff81aa16

Download Submit
C:\Windows\SysWOW64\Nefdbekh.exe

Filesize
94KB

MD5
0fb489caf52c60c3f07e039c4f0545c7

SHA1
360de07013e12692b2c92efb37a092e06d315228

SHA256
4ba72e29d1709b4a8345e52a23b0a77e62d7a8f5e9f5e772ae736dbf29c7f44d

SHA512
cdc9825b1fc5aa3779bcc98fd3314455e30e77d1281456e1b894826ce57769c9c4c2a4a2240d7020cdb0ab682388a1eeaaca65a0f340f32bb003b2a07b29766c

Download Submit
C:\Windows\SysWOW64\Nkapelka.exe

Filesize
94KB

MD5
312537d494a2960532c2c557690fad83

SHA1
e70ab22f31ba0fcccbe0b2d92927cbdf0176fb55

SHA256
98068c00a3ddb683b6aa547e0764fd1986751c695c7642d9d47127c5f900deaf

SHA512
203b926da6c890937d07aa48363a1cf90d936d2b7bc5fffdaed29620959805db2f24addfb8aaa42525baf533f55809475f22b29c4a609b2ead0a1572448ce3c2

Download Submit
C:\Windows\SysWOW64\Nkjckkcg.exe

Filesize
94KB

MD5
1420d8e72dd97ea25f234af221d7bba3

SHA1
db17fc17034d8432a6f610f79adac88a3b01947b

SHA256
3e79472a7a04ff2b49026cbbae5fcccd1391a8120c17b1d7981a26639dd86e1f

SHA512
b244484669bbd5f33f38eaf945862921062f6d20ac9fd54fd6a257e24601c5aafef6f473013f77c477458696ff764fe91fd02febbd5f4c4a26137865b28dc747

Download Submit
C:\Windows\SysWOW64\Nlqloo32.exe

Filesize
94KB

MD5
c64d4d230e458454acb7ac90fd9f6afb

SHA1
6394c81d62bb4e2a10dc7850617302c575d651ea

SHA256
8d906f5fd70027a080d294f399fb2beb55cd3052266723e813a27c5caa51312e

SHA512
57ace49437c42785de52ca4b7bd3d94d5511e14d0496b61fb26f69cc65c95fbcbfb3ca818803f93b938e8024820497f9c91f67563f59be8afb8fee7bd5a0c919

Download Submit
C:\Windows\SysWOW64\Noaeqjpe.exe

Filesize
94KB

MD5
03112c766c5477b8764a832ffe47fb32

SHA1
d002d38e80d75a55b20fa4cdb98c879ba3ec5fd7

SHA256
67125813a4269744c3ce2275bd3692e8ce2d9a880a2359f58d4fef32bad71ad6

SHA512
36a1e3a6477173aedc170211f861df92a68dbd6333f2757ccd73b4e93b89f3880b9bd76c57aeaf0f9c9428036a579de9c8a3655b577ce66d1a003cc21dde72ac

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
94KB

MD5
6a09620b49e74927e4550a22d76e472f

SHA1
900b2c94a218817e60d231eae2b0bd443d3eacba

SHA256
9d34d770edbb11fe7ae61591d2c2d23de896bac780b8c742dabc29df2278ba70

SHA512
27e4d8ed6733ab0d722eb0328856da7818e2bad4577874e5390024bce3cd86be34e3e423f6bb081362a02dc033ea29b1b0dda7a3fbb97e500dd3b2f0bcdb4b59

Download Submit
C:\Windows\SysWOW64\Odbgdp32.exe

Filesize
94KB

MD5
90b1c179d218f9ca50a88e51b1f174c9

SHA1
1f33b0b284ba9445c0b72f58738af953c2d9b37d

SHA256
af72ff09f243a32ca9fb75308526e532469c4c32038b804521ee4454bf3486ab

SHA512
c13a38bd15c5df1bb3423f34aaa6a1560c331f87c8994cc65ee3bddee9af935a4c3eee437ff589178244aa3fb7a96943adee7ee9af7a11e190214e601f214f48

Download Submit
C:\Windows\SysWOW64\Odedipge.exe

Filesize
94KB

MD5
55bebd28f2ded87390050c351214bd48

SHA1
9b1680839a5a686d8f2e571e66a04beb3e904a2e

SHA256
b83323095e91838f007327588c3638d04ae5891a9fd93d9412476a6deb5939c5

SHA512
b04b56a400e5abb3a5237a763ab986fd19b53ff69b75ef14f30c72aef3c19d60fb1998dda9bdfe6406b7dac3961b18e3452897d4b16e84a7b72fe10946376356

Download Submit
C:\Windows\SysWOW64\Ohcmpn32.exe

Filesize
94KB

MD5
f0458f0188d6ff7788e9d926f661ef94

SHA1
baa091dfc06f201e6e950fd5f302ffdbc4916bc3

SHA256
d5c961349d4183e7a56c08a29c1f3e6d87ad5332ba970d53664203935213d8e2

SHA512
1a0b991ae3a0d265b7ddac8b45e8b238f41684d6210d05c944726208d4b5f18a42545fe08823821b85c971cc77ce851d00fb02ad6f63d27fb76db7aa36cc3853

Download Submit
C:\Windows\SysWOW64\Okolfj32.exe

Filesize
94KB

MD5
476bbee29ba8cd235419ab7bedf0183e

SHA1
657ea944013d50d55db5fc70a28d75a09febb2dd

SHA256
a4653283b2a15c453399367c71f36e08c7edf5d60368bf312433551dad9086ec

SHA512
060d32dfa925699f79bea010b94c044de7478b534a951bd0ca026bc7d974bef18d507311548940cb7eda72461fae62fba3fe555d27fc5de7d39f3b7a2c6ec666

Download Submit
C:\Windows\SysWOW64\Oljoen32.exe

Filesize
94KB

MD5
e4debd2f8a02e7c8aa3fe96ce8b2bc5c

SHA1
6a36b457dd12bcb682c013a9c4d79fffad69a056

SHA256
bfe5c36501f46e6f036c528f3d38ced723bc1d90cab962e7eaa1f19669f905bc

SHA512
e406b1003af77c287dfcc09a5d5182b8c30dc77e29b196ea524a3fd80f6ee00c3afb8b68803829a3b77c08f4f007da8839a62e09a4b82d28b9aa0ff288f60cf2

Download Submit
C:\Windows\SysWOW64\Oohkai32.exe

Filesize
94KB

MD5
d692ca5bed73bd74a38233beceeb404c

SHA1
74ad94ae97eabc526e9a1f7db7f4d56749ec4df4

SHA256
927455f2120da9de8d06c2a5fca3d983326b109e446b3bbdf19a9fc5a1f2d1da

SHA512
84fcc774c8f0ece2bec6dfcde8942e5142c66bbff5291c2e7474ee1dedc4775464872a6fef2242a5a0763f352b365fb9b5d73f246fb96c4d7aba326ad70ec6b3

Download Submit
memory/376-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/376-464-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/464-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/464-477-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/620-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/620-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/648-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/832-462-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/832-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/960-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1092-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1092-476-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1104-43-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1172-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1172-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1660-244-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1728-458-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1728-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1776-60-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1784-44-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1916-450-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1916-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2020-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2020-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2316-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2328-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2512-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2552-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2564-456-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2564-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2672-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2836-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2872-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-452-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2964-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3080-471-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3080-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3092-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3092-474-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3120-76-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3180-470-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3180-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3208-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3212-469-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3212-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3316-220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3428-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3428-475-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3536-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3564-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3564-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3608-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3652-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3780-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3916-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4024-457-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4024-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4044-467-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4044-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4064-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4120-461-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4120-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4128-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4304-453-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4304-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4400-459-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4400-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4424-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4452-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4452-463-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4528-479-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4528-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4532-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4532-465-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4564-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4568-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4672-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4672-449-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4708-451-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4708-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4744-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4824-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4824-468-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4888-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4900-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4968-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4988-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5008-473-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5008-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5108-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5108-455-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads