54edec5e6dec334ecc94781815c25a6664edb07b741faed81da2d2a373278932

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb0ce6616c5aff294ab8b014d53bedf0N.exe
Size

1.6MB
MD5

eb0ce6616c5aff294ab8b014d53bedf0
SHA1

9eaac8b1a9246ae976ea7a73780c537e88c888d1
SHA256

54edec5e6dec334ecc94781815c25a6664edb07b741faed81da2d2a373278932
SHA512

966ab2985da7f5063970e94f50a9c751e39cdf360279d7a48581020bdd1a22a9c83468abc2f36f3974a8a36168357e1d23e2ccf0d87736fe19b80ac3631ea15b
SSDEEP

12288:xaFByvNv5WOrKK/4en+czMRlWq8/sa9MbO:xaOvrWTKwe+xgq8/xMbO

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ooangh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepineo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhknhabf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nhjjip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odbgdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Okceaikl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mekdffee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhknhabf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jogqlpde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mojopk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mllccpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ohqpjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdqcenmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkklbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noaeqjpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocknbglo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mllccpfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbdkhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Namegfql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nomlek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhjjip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnjbdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohqpjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkklbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhgdmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflfdbip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	eb0ce6616c5aff294ab8b014d53bedf0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Okolfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qckfid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	eb0ce6616c5aff294ab8b014d53bedf0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nakhaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okceaikl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfbmdabh.exe

Executes dropped EXE 64 IoCs

pid	Process
3516	Jnbgaa32.exe
408	Jogqlpde.exe
1200	Jhoeef32.exe
2076	Kbeibo32.exe
4480	Kdffjgpj.exe
4536	Kkpnga32.exe
2304	Lddble32.exe
1132	Ledoegkm.exe
2180	Lkqgno32.exe
1940	Lamlphoo.exe
2528	Lhgdmb32.exe
3468	Mkepineo.exe
4056	Mclhjkfa.exe
4048	Mekdffee.exe
1688	Mhiabbdi.exe
3700	Mociol32.exe
2124	Maaekg32.exe
2360	Mhknhabf.exe
4864	Moefdljc.exe
4080	Madbagif.exe
4088	Mdbnmbhj.exe
4284	Mccokj32.exe
3680	Mddkbbfg.exe
1544	Mllccpfj.exe
4516	Mojopk32.exe
4928	Mdghhb32.exe
3340	Nlnpio32.exe
4548	Nomlek32.exe
1380	Nakhaf32.exe
2148	Nheqnpjk.exe
3256	Nkcmjlio.exe
644	Namegfql.exe
3476	Ndlacapp.exe
3488	Nhgmcp32.exe
4128	Noaeqjpe.exe
4588	Napameoi.exe
4044	Nfknmd32.exe
5128	Nhjjip32.exe
5168	Nocbfjmc.exe
5208	Nconfh32.exe
5248	Nfnjbdep.exe
5288	Nlgbon32.exe
5328	Nofoki32.exe
5368	Nbdkhe32.exe
5408	Odbgdp32.exe
5448	Okmpqjad.exe
5488	Oohkai32.exe
5528	Ofbdncaj.exe
5568	Ohqpjo32.exe
5608	Okolfj32.exe
5648	Ocfdgg32.exe
5688	Ofdqcc32.exe
5736	Ohcmpn32.exe
5768	Okailj32.exe
5808	Ochamg32.exe
5848	Ofgmib32.exe
5888	Oheienli.exe
5928	Okceaikl.exe
5968	Ocknbglo.exe
6008	Odljjo32.exe
6048	Omcbkl32.exe
6088	Ooangh32.exe
6128	Oflfdbip.exe
4456	Pijcpmhc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lbnjfh32.dll	Nlgbon32.exe
File created	C:\Windows\SysWOW64\Oheienli.exe	Ofgmib32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbdcf32.exe	Pkklbh32.exe
File created	C:\Windows\SysWOW64\Kjmole32.dll	Pfppoa32.exe
File created	C:\Windows\SysWOW64\Cojaijla.dll	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Amfhgj32.exe	Aeopfl32.exe
File created	C:\Windows\SysWOW64\Kbeibo32.exe	Jhoeef32.exe
File opened for modification	C:\Windows\SysWOW64\Nlnpio32.exe	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Codncb32.dll	Nofoki32.exe
File created	C:\Windows\SysWOW64\Oenlmopg.dll	Omcbkl32.exe
File opened for modification	C:\Windows\SysWOW64\Oflfdbip.exe	Ooangh32.exe
File opened for modification	C:\Windows\SysWOW64\Nheqnpjk.exe	Nakhaf32.exe
File created	C:\Windows\SysWOW64\Okcfidmn.dll	Nfknmd32.exe
File opened for modification	C:\Windows\SysWOW64\Nofoki32.exe	Nlgbon32.exe
File opened for modification	C:\Windows\SysWOW64\Ndlacapp.exe	Namegfql.exe
File opened for modification	C:\Windows\SysWOW64\Noaeqjpe.exe	Nhgmcp32.exe
File opened for modification	C:\Windows\SysWOW64\Ocfdgg32.exe	Okolfj32.exe
File opened for modification	C:\Windows\SysWOW64\Pcdqhecd.exe	Pkmhgh32.exe
File opened for modification	C:\Windows\SysWOW64\Qkdohg32.exe	Qifbll32.exe
File opened for modification	C:\Windows\SysWOW64\Nocbfjmc.exe	Nhjjip32.exe
File created	C:\Windows\SysWOW64\Omclnn32.dll	Nocbfjmc.exe
File created	C:\Windows\SysWOW64\Odbgdp32.exe	Nbdkhe32.exe
File created	C:\Windows\SysWOW64\Kncgmcgd.dll	Ofgmib32.exe
File created	C:\Windows\SysWOW64\Ocknbglo.exe	Okceaikl.exe
File opened for modification	C:\Windows\SysWOW64\Ooangh32.exe	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Kannaq32.dll	Pkoemhao.exe
File created	C:\Windows\SysWOW64\Bochcckb.dll	eb0ce6616c5aff294ab8b014d53bedf0N.exe
File opened for modification	C:\Windows\SysWOW64\Kbeibo32.exe	Jhoeef32.exe
File created	C:\Windows\SysWOW64\Nakhaf32.exe	Nomlek32.exe
File created	C:\Windows\SysWOW64\Oohkai32.exe	Okmpqjad.exe
File opened for modification	C:\Windows\SysWOW64\Pkklbh32.exe	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Qfjcep32.exe	Qckfid32.exe
File created	C:\Windows\SysWOW64\Mekdffee.exe	Mclhjkfa.exe
File opened for modification	C:\Windows\SysWOW64\Mhiabbdi.exe	Mekdffee.exe
File created	C:\Windows\SysWOW64\Nlgbon32.exe	Nfnjbdep.exe
File opened for modification	C:\Windows\SysWOW64\Pkoemhao.exe	Piaiqlak.exe
File created	C:\Windows\SysWOW64\Nbdkhe32.exe	Nofoki32.exe
File opened for modification	C:\Windows\SysWOW64\Omcbkl32.exe	Odljjo32.exe
File opened for modification	C:\Windows\SysWOW64\Aeopfl32.exe	Abpcja32.exe
File opened for modification	C:\Windows\SysWOW64\Napameoi.exe	Noaeqjpe.exe
File created	C:\Windows\SysWOW64\Okmpqjad.exe	Odbgdp32.exe
File created	C:\Windows\SysWOW64\Madbagif.exe	Moefdljc.exe
File created	C:\Windows\SysWOW64\Fmfbakio.dll	Nakhaf32.exe
File created	C:\Windows\SysWOW64\Fhmeii32.dll	Okmpqjad.exe
File created	C:\Windows\SysWOW64\Ofdqcc32.exe	Ocfdgg32.exe
File opened for modification	C:\Windows\SysWOW64\Okceaikl.exe	Oheienli.exe
File created	C:\Windows\SysWOW64\Qkdohg32.exe	Qifbll32.exe
File created	C:\Windows\SysWOW64\Hhodke32.dll	Kdffjgpj.exe
File opened for modification	C:\Windows\SysWOW64\Mkepineo.exe	Lhgdmb32.exe
File created	C:\Windows\SysWOW64\Gckjdhni.dll	Aeopfl32.exe
File opened for modification	C:\Windows\SysWOW64\Ledoegkm.exe	Lddble32.exe
File created	C:\Windows\SysWOW64\Jjfaml32.dll	Mekdffee.exe
File opened for modification	C:\Windows\SysWOW64\Mhknhabf.exe	Maaekg32.exe
File opened for modification	C:\Windows\SysWOW64\Oheienli.exe	Ofgmib32.exe
File created	C:\Windows\SysWOW64\Pdqcenmg.exe	Pbbgicnd.exe
File created	C:\Windows\SysWOW64\Pmoagk32.exe	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Pmejnpqp.dll	Qfjcep32.exe
File created	C:\Windows\SysWOW64\Apddce32.exe	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Nmdlch32.dll	Lamlphoo.exe
File created	C:\Windows\SysWOW64\Lggfcd32.dll	Maaekg32.exe
File created	C:\Windows\SysWOW64\Miiepfpf.dll	Odljjo32.exe
File created	C:\Windows\SysWOW64\Hblaceei.dll	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Nngihj32.dll	Moefdljc.exe
File created	C:\Windows\SysWOW64\Mdghhb32.exe	Mojopk32.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnpio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocknbglo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qihoak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odbgdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Namegfql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okailj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkqgno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odljjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madbagif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pijcpmhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbbgicnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdbnmbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpnga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mklfjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheienli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nomlek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfknmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhgmcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcppq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lamlphoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mccokj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhiabbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkepineo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nakhaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndlacapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mociol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nconfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfnjbdep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgdmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfdbip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoemhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbmdabh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jogqlpde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Napameoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofbdncaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdqcenmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ochamg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maaekg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllccpfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oohkai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podkmgop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhoeef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qifbll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piaiqlak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddble32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mekdffee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noaeqjpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlgbon32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkepineo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmpakdh.dll"	Namegfql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbimjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmejnpqp.dll"	Qfjcep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngihj32.dll"	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meghme32.dll"	Mddkbbfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfnjbdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abpcja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Noaeqjpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmhc32.dll"	Ofbdncaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pijcpmhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnegipj.dll"	Pkmhgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgfaf32.dll"	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcokoo32.dll"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkiigchm.dll"	Piolkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbqmiln.dll"	Nbdkhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflmkg32.dll"	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapijd32.dll"	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhalpn32.dll"	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mociol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eloeba32.dll"	Jogqlpde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daliqjnc.dll"	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aealll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abcppq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maaekg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ohqpjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjaeema.dll"	Ofdqcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbbgicnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qckfid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qihoak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhgdmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oohkai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfppoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkoemhao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebeaf32.dll"	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhodke32.dll"	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdbnmbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdfnq32.dll"	Ohqpjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mccokj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkmhgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	eb0ce6616c5aff294ab8b014d53bedf0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omclnn32.dll"	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenlmopg.dll"	Omcbkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lamlphoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mekdffee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Okceaikl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 3516	1492	eb0ce6616c5aff294ab8b014d53bedf0N.exe	90
PID 1492 wrote to memory of 3516	1492	eb0ce6616c5aff294ab8b014d53bedf0N.exe	90
PID 1492 wrote to memory of 3516	1492	eb0ce6616c5aff294ab8b014d53bedf0N.exe	90
PID 3516 wrote to memory of 408	3516	Jnbgaa32.exe	91
PID 3516 wrote to memory of 408	3516	Jnbgaa32.exe	91
PID 3516 wrote to memory of 408	3516	Jnbgaa32.exe	91
PID 408 wrote to memory of 1200	408	Jogqlpde.exe	92
PID 408 wrote to memory of 1200	408	Jogqlpde.exe	92
PID 408 wrote to memory of 1200	408	Jogqlpde.exe	92
PID 1200 wrote to memory of 2076	1200	Jhoeef32.exe	93
PID 1200 wrote to memory of 2076	1200	Jhoeef32.exe	93
PID 1200 wrote to memory of 2076	1200	Jhoeef32.exe	93
PID 2076 wrote to memory of 4480	2076	Kbeibo32.exe	94
PID 2076 wrote to memory of 4480	2076	Kbeibo32.exe	94
PID 2076 wrote to memory of 4480	2076	Kbeibo32.exe	94
PID 4480 wrote to memory of 4536	4480	Kdffjgpj.exe	96
PID 4480 wrote to memory of 4536	4480	Kdffjgpj.exe	96
PID 4480 wrote to memory of 4536	4480	Kdffjgpj.exe	96
PID 4536 wrote to memory of 2304	4536	Kkpnga32.exe	98
PID 4536 wrote to memory of 2304	4536	Kkpnga32.exe	98
PID 4536 wrote to memory of 2304	4536	Kkpnga32.exe	98
PID 2304 wrote to memory of 1132	2304	Lddble32.exe	100
PID 2304 wrote to memory of 1132	2304	Lddble32.exe	100
PID 2304 wrote to memory of 1132	2304	Lddble32.exe	100
PID 1132 wrote to memory of 2180	1132	Ledoegkm.exe	101
PID 1132 wrote to memory of 2180	1132	Ledoegkm.exe	101
PID 1132 wrote to memory of 2180	1132	Ledoegkm.exe	101
PID 2180 wrote to memory of 1940	2180	Lkqgno32.exe	102
PID 2180 wrote to memory of 1940	2180	Lkqgno32.exe	102
PID 2180 wrote to memory of 1940	2180	Lkqgno32.exe	102
PID 1940 wrote to memory of 2528	1940	Lamlphoo.exe	103
PID 1940 wrote to memory of 2528	1940	Lamlphoo.exe	103
PID 1940 wrote to memory of 2528	1940	Lamlphoo.exe	103
PID 2528 wrote to memory of 3468	2528	Lhgdmb32.exe	104
PID 2528 wrote to memory of 3468	2528	Lhgdmb32.exe	104
PID 2528 wrote to memory of 3468	2528	Lhgdmb32.exe	104
PID 3468 wrote to memory of 4056	3468	Mkepineo.exe	105
PID 3468 wrote to memory of 4056	3468	Mkepineo.exe	105
PID 3468 wrote to memory of 4056	3468	Mkepineo.exe	105
PID 4056 wrote to memory of 4048	4056	Mclhjkfa.exe	106
PID 4056 wrote to memory of 4048	4056	Mclhjkfa.exe	106
PID 4056 wrote to memory of 4048	4056	Mclhjkfa.exe	106
PID 4048 wrote to memory of 1688	4048	Mekdffee.exe	107
PID 4048 wrote to memory of 1688	4048	Mekdffee.exe	107
PID 4048 wrote to memory of 1688	4048	Mekdffee.exe	107
PID 1688 wrote to memory of 3700	1688	Mhiabbdi.exe	108
PID 1688 wrote to memory of 3700	1688	Mhiabbdi.exe	108
PID 1688 wrote to memory of 3700	1688	Mhiabbdi.exe	108
PID 3700 wrote to memory of 2124	3700	Mociol32.exe	109
PID 3700 wrote to memory of 2124	3700	Mociol32.exe	109
PID 3700 wrote to memory of 2124	3700	Mociol32.exe	109
PID 2124 wrote to memory of 2360	2124	Maaekg32.exe	110
PID 2124 wrote to memory of 2360	2124	Maaekg32.exe	110
PID 2124 wrote to memory of 2360	2124	Maaekg32.exe	110
PID 2360 wrote to memory of 4864	2360	Mhknhabf.exe	111
PID 2360 wrote to memory of 4864	2360	Mhknhabf.exe	111
PID 2360 wrote to memory of 4864	2360	Mhknhabf.exe	111
PID 4864 wrote to memory of 4080	4864	Moefdljc.exe	112
PID 4864 wrote to memory of 4080	4864	Moefdljc.exe	112
PID 4864 wrote to memory of 4080	4864	Moefdljc.exe	112
PID 4080 wrote to memory of 4088	4080	Madbagif.exe	113
PID 4080 wrote to memory of 4088	4080	Madbagif.exe	113
PID 4080 wrote to memory of 4088	4080	Madbagif.exe	113
PID 4176 wrote to memory of 4284	4176	Mklfjm32.exe	115

C:\Users\Admin\AppData\Local\Temp\eb0ce6616c5aff294ab8b014d53bedf0N.exe
"C:\Users\Admin\AppData\Local\Temp\eb0ce6616c5aff294ab8b014d53bedf0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\Jnbgaa32.exe
  C:\Windows\system32\Jnbgaa32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\SysWOW64\Jogqlpde.exe
    C:\Windows\system32\Jogqlpde.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\SysWOW64\Jhoeef32.exe
      C:\Windows\system32\Jhoeef32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1200
    - - C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
      - C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Lamlphoo.exe
        
        C:\Windows\system32\Lamlphoo.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Lhgdmb32.exe
        
        C:\Windows\system32\Lhgdmb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Mkepineo.exe
        
        C:\Windows\system32\Mkepineo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Mclhjkfa.exe
        
        C:\Windows\system32\Mclhjkfa.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Mekdffee.exe
        
        C:\Windows\system32\Mekdffee.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Mhiabbdi.exe
        
        C:\Windows\system32\Mhiabbdi.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Mhknhabf.exe
        
        C:\Windows\system32\Mhknhabf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        23⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Mllccpfj.exe
        
        C:\Windows\system32\Mllccpfj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        32⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        33⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        55⤵
        Executes dropped EXE
        
        PID:5736
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Pbbgicnd.exe
        
        C:\Windows\system32\Pbbgicnd.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        75⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        84⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        86⤵
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6352
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6392
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6432
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:6472
        
        C:\Windows\SysWOW64\Abcppq32.exe
        
        C:\Windows\system32\Abcppq32.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:6592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4020,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8
1⤵
PID:6648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jhoeef32.exe

Filesize
1.6MB

MD5
da8fcd1f0f1b02bf80bc476bcafcc07e

SHA1
4c6860e943fc37141ae29879295d28a383c18f80

SHA256
bb94012552bc35573e048639f75f50145fdd2d3174db662ee437f065ddd2ec62

SHA512
97ad7c9a3bfc671a0788b86b8e59286926e11456458fae7da11ff4d03b0d5f59096c00a219a4e9df20f29e86a3174bfae466cf5fddf41169f44d59eb9ce7077e

Download Submit
C:\Windows\SysWOW64\Jnbgaa32.exe

Filesize
1.6MB

MD5
26d22af6fb9fd16e2b849f804a7cf5cf

SHA1
4d0d8f502a9b1a5f2a76aab080189ff010803fe0

SHA256
49c1dcd562c1bdbbd12faf01cf2eb5a199133ac650d2d6837f620891b58f821b

SHA512
0f78babd8b0d9787f8af1fe7db46a98c9ccffe0384aeb574b53574ebe9713ab0ebc7f3ed3d265eb948858ff322cc417fee24e1ed8186b24e408368b96405067f

Download Submit
C:\Windows\SysWOW64\Jogqlpde.exe

Filesize
1.6MB

MD5
cc90eaa8def4c5ad3eae9aeb12266b05

SHA1
b42772d419d2f84101b7cc9e2c4d2c09e9d65c31

SHA256
a9ed981a843fa15fbbe7f5d8b7f158dd7ce03649282451c429819b9c076116b0

SHA512
c91bc9d437f65542b86a37c91cf06256d5643e7244417cf8a7d57e534e9c5b58728873685e10b99d4accb8c01fee8f070bf9557dc1ec9c1a36a3d1fd99ea6f1b

Download Submit
C:\Windows\SysWOW64\Kbeibo32.exe

Filesize
1.6MB

MD5
02d82b421d2475896273e83ea8e3bd55

SHA1
d3876524e11d7d8f6ef8aa2a0ae0b0b607bf2b22

SHA256
b82acdb3592659e0b1f646066a0fd0a6315b962eb1ad8e2c7f43b7c821846ed8

SHA512
6813505fc7a345a1ca52ba023d65f4301253ecebee1aa00b0b9fdd1370af49a17cfe7f0ceaf5c5bba94011e2d0b3df3b24f5f05e19ba68437b137c9dc3e696bd

Download Submit
C:\Windows\SysWOW64\Kdffjgpj.exe

Filesize
1.6MB

MD5
c660bacb1b269e4163e3179bf4dd68ab

SHA1
b57885526ade1622e5f4f8d8ed0335980cc1a74f

SHA256
cafac8bbd7e57454159ba5916cd47904ce96ffea40c63aa43e9a19edcf713841

SHA512
65bbce57549c1595fb2ed460db858e871eff1ef215c2aebec6486afd069451537eaa2bfa968903b8938bbb6af84a97c1488bf533d4fb490b5c94273efc108da7

Download Submit
C:\Windows\SysWOW64\Kkpnga32.exe

Filesize
1.6MB

MD5
37250e7f193617b8787b52e274b02940

SHA1
8ef19f428261ed50f2105a32afffbaf75673e248

SHA256
2763f40e33d7bc453da0548712be23338e222dee007178ef60e2ace21a9f81a9

SHA512
9b565bee4122b7ef7c364fa3fd07b3f8b09fa57af0db9c4708f5f72f7e25cb195bc86bf67a8ae995486d835c3c341952b380bdac8abe50ea356079d46cf44b53

Download Submit
C:\Windows\SysWOW64\Lamlphoo.exe

Filesize
1.6MB

MD5
83595c348cc4661621aa1e0c5e4e6a16

SHA1
69b8def4f0b84e96c3adc76f4f7982edd09c495a

SHA256
b27a5e7eaf307967efbaa4ac925ab6d4f87775abc91aaffa5ecee7cedf8b00d2

SHA512
df9113646203aef375da84ee87b0194f0ab491f1c8e3ffe8e686986cd40bff5815e618ce84d07c6bb816d553d8c915e12f8606f919957f13e55db002130e5181

Download Submit
C:\Windows\SysWOW64\Lddble32.exe

Filesize
1.6MB

MD5
325c5af0403182fd45761e42b8293725

SHA1
f2baf283b4c28e1fdaeb8e5458dafcebf0c87171

SHA256
8d728688400b8f3538a9dc1aa965ed6ab0b39e15bdf321cd68db7ad54f48a28c

SHA512
15a484b0fda635eb06164cbc13d48e5a75b6610bb531180c1cdb31c8b824f66d8a9b476b18a11b715c746cc3317c48b8a687509983dadb0f575dc61566490574

Download Submit
C:\Windows\SysWOW64\Ledoegkm.exe

Filesize
1.6MB

MD5
b23fa4c02dc9a2b0074603f455f8abe2

SHA1
c820b6cb458e3138c29097cc6aa92678d3100af7

SHA256
9f0f0731a39777a77bec21867db5dbeab2f262bf250e6998b781af7b47038fc8

SHA512
dece69301dc4dd75bd27825d7b468c55d23cc8ca45c56bf95f0e68395ad9e80166630f31ad53a7f547cf0c80654cc476e416d2bd67aa353eb19358e273da30e8

Download Submit
C:\Windows\SysWOW64\Lhgdmb32.exe

Filesize
1.6MB

MD5
59f92e722524b00913b91be9f8631f41

SHA1
1e75cf89fe1458adb4d2eb8b57fc68c8316a1d76

SHA256
11d0e377fa6c89adf74e8a9940a8db8136535f64f1a71b34a274498cc851bfda

SHA512
038721e3d786a0f11da28b398f7ef23baeb3c1b24489071613bc5ec8ee350c7cec4b316fe5e444df0031640b129dea371c2843ad85e47a9cd984d410b57c7ecb

Download Submit
C:\Windows\SysWOW64\Lkqgno32.exe

Filesize
1.6MB

MD5
10204f4f958a91b71275931afe5519fd

SHA1
1d394c540089cc4b8d29fe9b35844a33370299f5

SHA256
99c535fa51420ea6eea9c423b94321a1f74a09bd338f1697e52b177551f2e77b

SHA512
4fb16db856ab005a3a4fdf3f85bb7c7093b0c3c68dd9f6917db25898505f4f90f2301dc7dd511b54d49edf4e8c5e06751ee21432eb553f168e1fb14a96d0b1c9

Download Submit
C:\Windows\SysWOW64\Maaekg32.exe

Filesize
1.6MB

MD5
fb33f292183756bd1536357f436b07e6

SHA1
e76ec883dcfeaba083011eec04a08bd45f5c93bb

SHA256
38e30998b099ce9286607d937752d54dabbac8385d2d98a7579bd30e9c73eed8

SHA512
d3bc7ec367dc69e9b3882bcd45351a860a696320787a860d5d5b61207b1d66f0e5137d8262d38a05225385f78bf61c69be214586108a289582fd54c58040859a

Download Submit
C:\Windows\SysWOW64\Madbagif.exe

Filesize
1.6MB

MD5
2465835a0abd545d2592b9d27c9a95b7

SHA1
ea9ee347b729592d8b2b9a514d62767ba3a18b9a

SHA256
eaea22ebe0b0f909db869083a704892633d05f5d96694ddb6b828a8d9a5f6262

SHA512
4d214ae9847ee736814faa4a5921bfbd999399bbba7fabd8a388447c9f1e802dfa52a5292f74ef0a1d2bb006dcc8efc5de03d9b052422f48c30c73b720de637e

Download Submit
C:\Windows\SysWOW64\Mccokj32.exe

Filesize
1.6MB

MD5
fe34f310ae006c91e207c4fd9b21c982

SHA1
331bf202b37b13bebc5636988a490e8d18fde11e

SHA256
29707f5624312eae3c56657fc94f61b22f8b3c5ea2572d8b10a40bc80a8ece90

SHA512
dad7b4bf40b841cacfe01012a9c14f720042a93963ef454a7721795a86612394474921a3c83259f6287d6e3d142cca1f198e80e28b1eff4240e3abcd7582028b

Download Submit
C:\Windows\SysWOW64\Mclhjkfa.exe

Filesize
1.6MB

MD5
41f6ddb8637e9121c17b98e2d18b270d

SHA1
7954b869b559918b94bbdcb3113099802e3ddcd2

SHA256
d828370b655d219bdfc9827fa012cb9c986dd2f74b40d40284f8c1ccc9d2a64e

SHA512
4c7c1e91fd715c8b44a4efdb80ce302a91cc7dd2070b0edb3e3b0745844448b86837265ff849865d98ae3ecb592f3c2345a6561d7232f0908714d63c5923cc2f

Download Submit
C:\Windows\SysWOW64\Mdbnmbhj.exe

Filesize
1.6MB

MD5
8bc8db44900f636a30e2ba1a0e1d4455

SHA1
7c36253fdfc7bc8a0f8d93d00f14820ac575d353

SHA256
ad12189a1fa60427f2ff673639ee36c1c1f6ecf578fd1bbbba6941fd57ec75a9

SHA512
fc41aad8ae8d4ae7e4811aa06a1033a73a55c3eb84cc4d5438a407e2bac434dd0fc548e3223955dd1c0820b2ea92a446262a5699c3ac8482af3c0bc35fa465fe

Download Submit
C:\Windows\SysWOW64\Mddkbbfg.exe

Filesize
1.6MB

MD5
e51db1d68a73a941d4aa1e8ea136a97a

SHA1
15099452045726c6ebd41e4d251efda195f91cae

SHA256
fe6dde2de08dd87f0238fac2a7e5c24aee70aaa33454142a8d8f2a0ccb436e7d

SHA512
5883dc319ebce6784d57f607a14b461ab6c2bc3aa572b2de75b197d0480a30e770fc4118a4b4c600d12731155342a4db7f8c82dfab03e933a17b97dbc3ea9c28

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
1.6MB

MD5
9f6a3633cda8ae282178816d0a64b61d

SHA1
fbbd8cbba7882ec494f6624c16a8ae350a8da7c8

SHA256
68dd3fe3fc82b1bda0a7b3e4e5ef6d3554a2d4ff5afac6ba907948921216f24d

SHA512
f6b78191ca3fc93f41749f4b669761099ce7b931a7b34044c2515b5984ece26dffa26fe8a5c49669a5162999eb6e2f211d283ea47a448fead77a7f1e6047dd2b

Download Submit
C:\Windows\SysWOW64\Mekdffee.exe

Filesize
1.6MB

MD5
1616ac2a306adf1dda4de7d65e4d368d

SHA1
9c0b2f60e934937fb6f9541a0dcc540340fe8254

SHA256
ca0d2707d946c273a40ec6617e2c1cddaac53509e457d14adc05fccc4448ef50

SHA512
3f868510e967f29e5c707f83155a102b0d8bb9286e02c863e8dd1048cc8a0f5daa9fd283080d0a661c0ef55a9400631a669c0bda432454b2d654110f2be80f36

Download Submit
C:\Windows\SysWOW64\Mhiabbdi.exe

Filesize
1.6MB

MD5
ae825285e9a031b5426eef7549f82875

SHA1
edbf08beadebec128476ce823ec46ec3985fa26c

SHA256
e4e4e1bb0ce57adf8a68a184c5962b0c5222afec4a5ef089f7ef6fec3f0bfbe1

SHA512
b515a16cfdc1795e157c0b1b311445a3bc6dbe37fb250478d8e2dce701689310b889d59d92e41c69d748e9ffd5307c507bb98454a2f9821ae527c6943ec1f424

Download Submit
C:\Windows\SysWOW64\Mhknhabf.exe

Filesize
1.6MB

MD5
5991858b1df1cfaa676223692d60d248

SHA1
9dcb38ff9d070484b62fd26d3453fb26b7ab5229

SHA256
b76506f5ade6abf26fbf90b50843975621ee5bd45a0831cf28e4715056e257ba

SHA512
4e03a0341a5414930a924ecdf880b225c6f258dcc9a049428d96e2181746bf4befce780ff05a4dbdaada1d31a300c88292c768c1485f72c20fab79bb1fa34bb6

Download Submit
C:\Windows\SysWOW64\Mkepineo.exe

Filesize
1.6MB

MD5
e6a3e5e5c226f7af7b282b8b6824a372

SHA1
48c2e4d54a735690f9c0bf6267b0d829d44bf0a9

SHA256
502ac350215d9dc33b9297681edb4d68571103067749405587fc4cb8f4586e20

SHA512
157415dbf296de92d09d5d6cac00b741728cf1f2feb30701ac17b768f250dc9c4f6a2c8ffe9440163fa6fee109c099796d7e25a3ac80348abf99f87dc8f6c817

Download Submit
C:\Windows\SysWOW64\Mllccpfj.exe

Filesize
1.6MB

MD5
d4037a859352e1705b50e775ffd279ac

SHA1
c11c5504d2db4250ace3e64df8c97372f7b24561

SHA256
cf7c38bdd70689d65e57f595807cc050c0a580df84ff47a6b4bc8806545cc6cb

SHA512
57a303c097ad0436885d8c51e7ba133107588dd4cfbc60fb39a6ac72192ec2ee5ebfebeb2bb9fe0ab3784ed8b86a5eeeae4a976ad528bd555c4abce84907b5b7

Download Submit
C:\Windows\SysWOW64\Mociol32.exe

Filesize
1.6MB

MD5
6f5ae63f0c55e01c85f81ebf1cda99dd

SHA1
c3f3c3f83c262abf840ae82a23f67a7d3727da1b

SHA256
2cd59e0cb07c1afa1c1f421776590744610dafbceb80e76aa65872380905e1c5

SHA512
16d9f750c4db4ec82ebd642f1769198e2ad61a53229cab4771aeb785a374f62c21a1ae70004c4e69fd5c49a5538d03457e6e1b190e11ba20359e6f5c47f48415

Download Submit
C:\Windows\SysWOW64\Moefdljc.exe

Filesize
1.6MB

MD5
de475292cc1638c5cc32b00f6648e3f4

SHA1
453981b0044019831c36c31bd0c4fc5d75296a2b

SHA256
6d2db750e2edc736033c108ce0b9cf7ce7a83494e258b2eeef2b9ba17db00ff7

SHA512
9787a83d93738ada30c22431c32b88e35ad5265e796cd63e4a72ea2ca57a75e7dcc88100a8a8350b6119e29c0e10de16b63386feb6b9f0cc52982f7e718f3b59

Download Submit
C:\Windows\SysWOW64\Mojopk32.exe

Filesize
1.6MB

MD5
e6818c799a1654cb794f8872424147df

SHA1
eefbdc563dbadde399f23285d2c61558967e9196

SHA256
35888cdc689c6fa40d6f7c42fb8515c0b08bb9f468cd3ce07880939b27f1261f

SHA512
b50d3aae1c98d9d32ebff4648e87bc5562d7cc096ef80ce533f2996efcf8916e6e592010d32d4adb0328a0cf33edc1fbb22b29676290f87ab33ae1f0b0f997b2

Download Submit
C:\Windows\SysWOW64\Nakhaf32.exe

Filesize
1.6MB

MD5
a6671d718a32d50f70ae6975decf256e

SHA1
c9a9be3253b5979eace25c1cb87e85c39f9d229c

SHA256
f99408148394c040dcfea9db7d78fb2c6939a661e78a0d7dcadae38ff7a9557a

SHA512
90888f6238ba97f11c69471cead64215f1abcb684704e9e574c5ab88305192551dcb928a1b8ec2816af3dafa6b1cc8c10348b8ac470f3d05dcb90a138fd717bc

Download Submit
C:\Windows\SysWOW64\Namegfql.exe

Filesize
1.6MB

MD5
bed7edb42180bc956a95f2ff22eb03ac

SHA1
849ea9a6d65eb2e996a75ed6f47a39518613ac98

SHA256
f03e24d18ab0a2001d75dbbe0d3cd5e2277e1d699704c1a8c58f0c34a8e4b712

SHA512
bc3a88116faa50cde9ddf7daa26b5af49a78f09a14f4fe57a76d2f44673fe4feed1cbba67f57bbd61d0c80a77307822ce4e1865c09736f9f6dd50342c51fa95d

Download Submit
C:\Windows\SysWOW64\Ndlacapp.exe

Filesize
1.6MB

MD5
2b79d99876c36cd98227f58ca12711ee

SHA1
8bd94a4fc7bff33a1f80bbd57a3ee74e2f9857fa

SHA256
e265a86c5ac6aa90dbe45dca93ed42515e475f6e4a4cace0999ea8987c36ce69

SHA512
0b0d57d783c2fe7d27d43077aa7c18ab1bda79020a8aea1de3eba6b2937127171a0b64431015724bbc72704b61810dbe144ae98cc8a32cd11e6abdf5e722e438

Download Submit
C:\Windows\SysWOW64\Nheqnpjk.exe

Filesize
1.6MB

MD5
45640d176761df62078e44b0e0035199

SHA1
e8fdb2782bc442070d9fffb1e23cda6362f909a6

SHA256
a590c75bd709be77ccc5bb09d89de1bc71b8d1ca378f1d21ca67b5d242d577bb

SHA512
78961e005f1bcdc15ce3c80d46abde66146c2339f21047eb0e7962c08399fe4a6113d88df5351675baba3fae3d8a9cd001addd8e90a34b252a396984789fd5a5

Download Submit
C:\Windows\SysWOW64\Nkcmjlio.exe

Filesize
1.6MB

MD5
37533435cefd5234038a41bc8ccaa476

SHA1
cefb8b8f2f9e1c6ee666cb223fb6771c0ed0f400

SHA256
4c47ece4206058c8a66efb3ed1884e86c047338e9aaaf58e3349d4b40e20eeb6

SHA512
7d091ec1681d29d917fcdea0c5d987777e8886cbe62f6b1bf9fd2ad8e4cc948838c5485939f347457d83c6087420df519dde894dc8769724b19ad267f093e43f

Download Submit
C:\Windows\SysWOW64\Nlnpio32.exe

Filesize
1.6MB

MD5
fd802a7f623958891163784ae46f2163

SHA1
073ac74c070f33a849274254ff1594be3463fbb0

SHA256
842c4f75533dfdf8bdf0241bf971310691747e01602e22d9ea0def7febda0d6b

SHA512
522ed9070b523821767d1e128a1debde062d6f6a7ab3f5294623e7b6d4eaafc65803cc98c0736f04fdc8e8f46f76abba8bdabef271e861530980bb100f31776b

Download Submit
C:\Windows\SysWOW64\Nomlek32.exe

Filesize
1.6MB

MD5
29204a370c1991d64aee821f41eafca1

SHA1
47044f7c0de6f4283c44a68780f1944a06c41986

SHA256
168e9676adb5851bc215d190a012f4c0eccf429286148514732a995dc7bb9745

SHA512
71ce399256ca2cafca330bdfa6daabc2b45e75e61a176c28708ea051758572597f32dd8c501ca81ce246d3bd008d640cb71c1365e6301adf8f161fbc472e3aa2

Download Submit
C:\Windows\SysWOW64\Oojnjjli.dll

Filesize
7KB

MD5
888143f3dda228a48a754b8aa5c205a5

SHA1
57b71a92b3ed3eaf94d72000ef94e45b2d0ba2ce

SHA256
78585082e2dc8334f37d845ba4d0acf180c63b1c30d5a8f47be40cab135c3344

SHA512
4e73029129dad3c29f019439526abb57f7adeb0884697b421ff1fc0a2c8b651b22d789df8e1f2662049a95d696b2367b33601d8aad430143f0624efdaba9fe89

Download Submit
memory/408-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5128-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5152-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5168-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5208-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5232-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5248-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5288-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5312-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5328-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5368-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5408-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5440-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5448-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5488-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5528-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5564-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5568-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5608-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5644-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5648-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5688-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5716-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5736-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5768-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5800-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5808-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5848-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5872-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5888-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5928-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5936-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5968-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6008-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6016-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6048-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6084-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6088-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6128-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6152-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6192-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6232-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6272-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads