b3a654b11b71e873bd684d9ec7f424052735f95499a10061909a5bb13112fbd3

Analysis

max time kernel
114s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3a654b11b71e873bd684d9ec7f424052735f95499a10061909a5bb13112fbd3N.exe
Size

64KB
MD5

823bd3267268c79564cebaa6ddc66780
SHA1

3da10b7a1e24516a7af2e36367e8a310c3fcfbc3
SHA256

b3a654b11b71e873bd684d9ec7f424052735f95499a10061909a5bb13112fbd3
SHA512

8cf13fc123ec3be568cebbd4a0eb75beec9744ec296792a8dd99cea87438eae181ce504fbf838c41c6d9ac1766a29dd112f1c3c1c2f62fa0a188e93ecafbd77f
SSDEEP

1536:xfxrtRjPcZ+OdwZ5ddR34QUXruCHcpzt/Idn:xjRLXKUB3jpFwn

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpbpecen.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciknefmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddhhbngi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aecialmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dllffa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cibkohef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbjogmlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgqie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beoimjce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cemeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dibdeegc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpllbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b3a654b11b71e873bd684d9ec7f424052735f95499a10061909a5bb13112fbd3N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfknmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oloipmfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ammnhilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Albkieqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkabbgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhofnpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bimach32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbpjfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbddobla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qifbll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpgbgpbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dedkogqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pecpknke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bimach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpcila32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomelheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfjeckpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemlhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpefaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpllbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nomlek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbnbemf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nofoki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bppcpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpbpecen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciknefmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfonnk32.exe

Executes dropped EXE 64 IoCs

pid	Process
2616	Mhpgca32.exe
2160	Mojopk32.exe
2896	Mdghhb32.exe
4708	Nomlek32.exe
4836	Ndidna32.exe
1116	Nkcmjlio.exe
2992	Namegfql.exe
4484	Ndlacapp.exe
2120	Nkeipk32.exe
4316	Nfknmd32.exe
2500	Nocbfjmc.exe
2872	Nbbnbemf.exe
4380	Nofoki32.exe
5108	Okmpqjad.exe
432	Ocdgahag.exe
3688	Ocfdgg32.exe
4832	Ohcmpn32.exe
1460	Oloipmfd.exe
3984	Oomelheh.exe
1608	Ofgmib32.exe
3616	Oheienli.exe
3608	Ofijnbkb.exe
1292	Obpkcc32.exe
3752	Podkmgop.exe
4516	Pfncia32.exe
3796	Pbddobla.exe
2460	Pecpknke.exe
4460	Piaiqlak.exe
4044	Pokanf32.exe
3008	Pkabbgol.exe
3588	Qifbll32.exe
4264	Qbngeadf.exe
512	Qcncodki.exe
1528	Amfhgj32.exe
2400	Apgqie32.exe
2060	Aecialmb.exe
3876	Ammnhilb.exe
5028	Abjfqpji.exe
2132	Albkieqj.exe
876	Bfhofnpp.exe
1420	Bppcpc32.exe
3176	Bemlhj32.exe
5080	Bpbpecen.exe
660	Beoimjce.exe
1320	Bcpika32.exe
1988	Bimach32.exe
4740	Bcbeqaia.exe
1484	Bipnihgi.exe
3672	Cdebfago.exe
1328	Cibkohef.exe
3780	Cbjogmlf.exe
3184	Cidgdg32.exe
4276	Cbmlmmjd.exe
1088	Cmbpjfij.exe
2772	Cfjeckpj.exe
2216	Cemeoh32.exe
2080	Cpcila32.exe
4536	Cbaehl32.exe
5024	Ciknefmk.exe
5064	Dpefaq32.exe
2960	Dfonnk32.exe
3884	Dllffa32.exe
3696	Dpgbgpbe.exe
3160	Dedkogqm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dpllbp32.exe	Dibdeegc.exe
File created	C:\Windows\SysWOW64\Ndlacapp.exe	Namegfql.exe
File opened for modification	C:\Windows\SysWOW64\Ndlacapp.exe	Namegfql.exe
File opened for modification	C:\Windows\SysWOW64\Ohcmpn32.exe	Ocfdgg32.exe
File opened for modification	C:\Windows\SysWOW64\Oheienli.exe	Ofgmib32.exe
File created	C:\Windows\SysWOW64\Hjjmaneh.dll	Bfhofnpp.exe
File created	C:\Windows\SysWOW64\Pecpknke.exe	Pbddobla.exe
File created	C:\Windows\SysWOW64\Ocdgahag.exe	Okmpqjad.exe
File opened for modification	C:\Windows\SysWOW64\Apgqie32.exe	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Pmhegoin.dll	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Nocbfjmc.exe	Nfknmd32.exe
File created	C:\Windows\SysWOW64\Cmonod32.dll	Dpllbp32.exe
File created	C:\Windows\SysWOW64\Amfhgj32.exe	Qcncodki.exe
File created	C:\Windows\SysWOW64\Bcbeqaia.exe	Bimach32.exe
File opened for modification	C:\Windows\SysWOW64\Bipnihgi.exe	Bcbeqaia.exe
File created	C:\Windows\SysWOW64\Cdebfago.exe	Bipnihgi.exe
File created	C:\Windows\SysWOW64\Cpcila32.exe	Cemeoh32.exe
File created	C:\Windows\SysWOW64\Acicqigg.dll	Nomlek32.exe
File opened for modification	C:\Windows\SysWOW64\Piaiqlak.exe	Pecpknke.exe
File opened for modification	C:\Windows\SysWOW64\Dpgbgpbe.exe	Dllffa32.exe
File opened for modification	C:\Windows\SysWOW64\Nfknmd32.exe	Nkeipk32.exe
File opened for modification	C:\Windows\SysWOW64\Pbddobla.exe	Pfncia32.exe
File opened for modification	C:\Windows\SysWOW64\Cbjogmlf.exe	Cibkohef.exe
File created	C:\Windows\SysWOW64\Hodcma32.dll	Dfonnk32.exe
File created	C:\Windows\SysWOW64\Kpdejagg.dll	Ndidna32.exe
File created	C:\Windows\SysWOW64\Fpqifh32.dll	Ocdgahag.exe
File created	C:\Windows\SysWOW64\Cidgdg32.exe	Cbjogmlf.exe
File created	C:\Windows\SysWOW64\Mkbdql32.dll	Oheienli.exe
File created	C:\Windows\SysWOW64\Bqpqlhmf.dll	Obpkcc32.exe
File opened for modification	C:\Windows\SysWOW64\Podkmgop.exe	Obpkcc32.exe
File created	C:\Windows\SysWOW64\Ghnkilod.dll	Ofijnbkb.exe
File opened for modification	C:\Windows\SysWOW64\Cpcila32.exe	Cemeoh32.exe
File created	C:\Windows\SysWOW64\Idbgcb32.dll	Dedkogqm.exe
File created	C:\Windows\SysWOW64\Nkcmjlio.exe	Ndidna32.exe
File created	C:\Windows\SysWOW64\Cqgkidki.dll	Okmpqjad.exe
File opened for modification	C:\Windows\SysWOW64\Bcpika32.exe	Beoimjce.exe
File opened for modification	C:\Windows\SysWOW64\Beoimjce.exe	Bpbpecen.exe
File created	C:\Windows\SysWOW64\Dmkcpdao.exe	Dedkogqm.exe
File created	C:\Windows\SysWOW64\Ohhbfe32.dll	Mojopk32.exe
File opened for modification	C:\Windows\SysWOW64\Pfncia32.exe	Podkmgop.exe
File opened for modification	C:\Windows\SysWOW64\Pkabbgol.exe	Pokanf32.exe
File opened for modification	C:\Windows\SysWOW64\Aecialmb.exe	Apgqie32.exe
File created	C:\Windows\SysWOW64\Bppcpc32.exe	Bfhofnpp.exe
File created	C:\Windows\SysWOW64\Amkejmgc.dll	Cbmlmmjd.exe
File created	C:\Windows\SysWOW64\Cmiikpek.dll	Cfjeckpj.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Ddhhbngi.exe
File created	C:\Windows\SysWOW64\Pbddobla.exe	Pfncia32.exe
File created	C:\Windows\SysWOW64\Cbaehl32.exe	Cpcila32.exe
File created	C:\Windows\SysWOW64\Bdhfnche.dll	Nfknmd32.exe
File created	C:\Windows\SysWOW64\Qifbll32.exe	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Dllffa32.exe	Dfonnk32.exe
File created	C:\Windows\SysWOW64\Cbjogmlf.exe	Cibkohef.exe
File opened for modification	C:\Windows\SysWOW64\Cfjeckpj.exe	Cmbpjfij.exe
File opened for modification	C:\Windows\SysWOW64\Mojopk32.exe	Mhpgca32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdgahag.exe	Okmpqjad.exe
File opened for modification	C:\Windows\SysWOW64\Ciknefmk.exe	Cbaehl32.exe
File opened for modification	C:\Windows\SysWOW64\Abjfqpji.exe	Ammnhilb.exe
File opened for modification	C:\Windows\SysWOW64\Bfhofnpp.exe	Albkieqj.exe
File created	C:\Windows\SysWOW64\Bcpika32.exe	Beoimjce.exe
File created	C:\Windows\SysWOW64\Cefnemqj.dll	Aecialmb.exe
File created	C:\Windows\SysWOW64\Bemlhj32.exe	Bppcpc32.exe
File created	C:\Windows\SysWOW64\Ciknefmk.exe	Cbaehl32.exe
File opened for modification	C:\Windows\SysWOW64\Nocbfjmc.exe	Nfknmd32.exe
File created	C:\Windows\SysWOW64\Dfonnk32.exe	Dpefaq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3744	4464	WerFault.exe	158

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecialmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbaehl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofoki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndlacapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofijnbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpefaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dibdeegc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhpgca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdgahag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obpkcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgqie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhofnpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfknmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhhbngi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cemeoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdebfago.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfjeckpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcmpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nocbfjmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qifbll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcncodki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcbeqaia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cidgdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfonnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dllffa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Namegfql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bemlhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podkmgop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oloipmfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bimach32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndidna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfncia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciknefmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmkcpdao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpllbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3a654b11b71e873bd684d9ec7f424052735f95499a10061909a5bb13112fbd3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Albkieqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcpika32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbpjfij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dedkogqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddekmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecpknke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheienli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beoimjce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipnihgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcila32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nomlek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piaiqlak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjfqpji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbnbemf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okmpqjad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkcmjlio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibkohef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbmlmmjd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acicqigg.dll"	Nomlek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beoimjce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nomlek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdgep32.dll"	Ohcmpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmkcpdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b3a654b11b71e873bd684d9ec7f424052735f95499a10061909a5bb13112fbd3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Albkieqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpbpecen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmabgl32.dll"	Bcpika32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbjabqbh.dll"	b3a654b11b71e873bd684d9ec7f424052735f95499a10061909a5bb13112fbd3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbjogmlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjaeema.dll"	Ocfdgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cibkohef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaepkejo.dll"	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pokanf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abjfqpji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfjeckpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cibkohef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cidgdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmiikpek.dll"	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nofoki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonhbi32.dll"	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Ddhhbngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnkilod.dll"	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhofnpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bemlhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmidc32.dll"	Bipnihgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpefaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iojghflb.dll"	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhbfe32.dll"	Mojopk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bemlhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edjgidik.dll"	Bimach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bipnihgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cemeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apgqie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhejfl32.dll"	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkcmjlio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joboincl.dll"	Nofoki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciknefmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qifbll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ammnhilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecnjaee.dll"	Cmbpjfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciknefmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqdbl32.dll"	Nkcmjlio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qifbll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefnemqj.dll"	Aecialmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oloipmfd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2616	3004	b3a654b11b71e873bd684d9ec7f424052735f95499a10061909a5bb13112fbd3N.exe	89
PID 3004 wrote to memory of 2616	3004	b3a654b11b71e873bd684d9ec7f424052735f95499a10061909a5bb13112fbd3N.exe	89
PID 3004 wrote to memory of 2616	3004	b3a654b11b71e873bd684d9ec7f424052735f95499a10061909a5bb13112fbd3N.exe	89
PID 2616 wrote to memory of 2160	2616	Mhpgca32.exe	90
PID 2616 wrote to memory of 2160	2616	Mhpgca32.exe	90
PID 2616 wrote to memory of 2160	2616	Mhpgca32.exe	90
PID 2160 wrote to memory of 2896	2160	Mojopk32.exe	91
PID 2160 wrote to memory of 2896	2160	Mojopk32.exe	91
PID 2160 wrote to memory of 2896	2160	Mojopk32.exe	91
PID 2896 wrote to memory of 4708	2896	Mdghhb32.exe	92
PID 2896 wrote to memory of 4708	2896	Mdghhb32.exe	92
PID 2896 wrote to memory of 4708	2896	Mdghhb32.exe	92
PID 4708 wrote to memory of 4836	4708	Nomlek32.exe	93
PID 4708 wrote to memory of 4836	4708	Nomlek32.exe	93
PID 4708 wrote to memory of 4836	4708	Nomlek32.exe	93
PID 4836 wrote to memory of 1116	4836	Ndidna32.exe	94
PID 4836 wrote to memory of 1116	4836	Ndidna32.exe	94
PID 4836 wrote to memory of 1116	4836	Ndidna32.exe	94
PID 1116 wrote to memory of 2992	1116	Nkcmjlio.exe	95
PID 1116 wrote to memory of 2992	1116	Nkcmjlio.exe	95
PID 1116 wrote to memory of 2992	1116	Nkcmjlio.exe	95
PID 2992 wrote to memory of 4484	2992	Namegfql.exe	96
PID 2992 wrote to memory of 4484	2992	Namegfql.exe	96
PID 2992 wrote to memory of 4484	2992	Namegfql.exe	96
PID 4484 wrote to memory of 2120	4484	Ndlacapp.exe	97
PID 4484 wrote to memory of 2120	4484	Ndlacapp.exe	97
PID 4484 wrote to memory of 2120	4484	Ndlacapp.exe	97
PID 2120 wrote to memory of 4316	2120	Nkeipk32.exe	98
PID 2120 wrote to memory of 4316	2120	Nkeipk32.exe	98
PID 2120 wrote to memory of 4316	2120	Nkeipk32.exe	98
PID 4316 wrote to memory of 2500	4316	Nfknmd32.exe	99
PID 4316 wrote to memory of 2500	4316	Nfknmd32.exe	99
PID 4316 wrote to memory of 2500	4316	Nfknmd32.exe	99
PID 2500 wrote to memory of 2872	2500	Nocbfjmc.exe	100
PID 2500 wrote to memory of 2872	2500	Nocbfjmc.exe	100
PID 2500 wrote to memory of 2872	2500	Nocbfjmc.exe	100
PID 2872 wrote to memory of 4380	2872	Nbbnbemf.exe	101
PID 2872 wrote to memory of 4380	2872	Nbbnbemf.exe	101
PID 2872 wrote to memory of 4380	2872	Nbbnbemf.exe	101
PID 4380 wrote to memory of 5108	4380	Nofoki32.exe	102
PID 4380 wrote to memory of 5108	4380	Nofoki32.exe	102
PID 4380 wrote to memory of 5108	4380	Nofoki32.exe	102
PID 5108 wrote to memory of 432	5108	Okmpqjad.exe	103
PID 5108 wrote to memory of 432	5108	Okmpqjad.exe	103
PID 5108 wrote to memory of 432	5108	Okmpqjad.exe	103
PID 432 wrote to memory of 3688	432	Ocdgahag.exe	104
PID 432 wrote to memory of 3688	432	Ocdgahag.exe	104
PID 432 wrote to memory of 3688	432	Ocdgahag.exe	104
PID 3688 wrote to memory of 4832	3688	Ocfdgg32.exe	105
PID 3688 wrote to memory of 4832	3688	Ocfdgg32.exe	105
PID 3688 wrote to memory of 4832	3688	Ocfdgg32.exe	105
PID 4832 wrote to memory of 1460	4832	Ohcmpn32.exe	106
PID 4832 wrote to memory of 1460	4832	Ohcmpn32.exe	106
PID 4832 wrote to memory of 1460	4832	Ohcmpn32.exe	106
PID 1460 wrote to memory of 3984	1460	Oloipmfd.exe	107
PID 1460 wrote to memory of 3984	1460	Oloipmfd.exe	107
PID 1460 wrote to memory of 3984	1460	Oloipmfd.exe	107
PID 3984 wrote to memory of 1608	3984	Oomelheh.exe	108
PID 3984 wrote to memory of 1608	3984	Oomelheh.exe	108
PID 3984 wrote to memory of 1608	3984	Oomelheh.exe	108
PID 1608 wrote to memory of 3616	1608	Ofgmib32.exe	109
PID 1608 wrote to memory of 3616	1608	Ofgmib32.exe	109
PID 1608 wrote to memory of 3616	1608	Ofgmib32.exe	109
PID 3616 wrote to memory of 3608	3616	Oheienli.exe	110

C:\Users\Admin\AppData\Local\Temp\b3a654b11b71e873bd684d9ec7f424052735f95499a10061909a5bb13112fbd3N.exe
"C:\Users\Admin\AppData\Local\Temp\b3a654b11b71e873bd684d9ec7f424052735f95499a10061909a5bb13112fbd3N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\Mhpgca32.exe
  C:\Windows\system32\Mhpgca32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\Mojopk32.exe
    C:\Windows\system32\Mojopk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\Mdghhb32.exe
      C:\Windows\system32\Mdghhb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
      - C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Nbbnbemf.exe
        
        C:\Windows\system32\Nbbnbemf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Ocdgahag.exe
        
        C:\Windows\system32\Ocdgahag.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Aecialmb.exe
        
        C:\Windows\system32\Aecialmb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Ammnhilb.exe
        
        C:\Windows\system32\Ammnhilb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Abjfqpji.exe
        
        C:\Windows\system32\Abjfqpji.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Albkieqj.exe
        
        C:\Windows\system32\Albkieqj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Bfhofnpp.exe
        
        C:\Windows\system32\Bfhofnpp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Bppcpc32.exe
        
        C:\Windows\system32\Bppcpc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Bpbpecen.exe
        
        C:\Windows\system32\Bpbpecen.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Beoimjce.exe
        
        C:\Windows\system32\Beoimjce.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:660
        
        C:\Windows\SysWOW64\Bcpika32.exe
        
        C:\Windows\system32\Bcpika32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Bimach32.exe
        
        C:\Windows\system32\Bimach32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Bcbeqaia.exe
        
        C:\Windows\system32\Bcbeqaia.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\Bipnihgi.exe
        
        C:\Windows\system32\Bipnihgi.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\Cibkohef.exe
        
        C:\Windows\system32\Cibkohef.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Cbjogmlf.exe
        
        C:\Windows\system32\Cbjogmlf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Cbmlmmjd.exe
        
        C:\Windows\system32\Cbmlmmjd.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\Cmbpjfij.exe
        
        C:\Windows\system32\Cmbpjfij.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Cemeoh32.exe
        
        C:\Windows\system32\Cemeoh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Dllffa32.exe
        
        C:\Windows\system32\Dllffa32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\Dedkogqm.exe
        
        C:\Windows\system32\Dedkogqm.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Ddhhbngi.exe
        
        C:\Windows\system32\Ddhhbngi.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 400
        72⤵
        Program crash
        
        PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4464 -ip 4464
1⤵
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
1⤵
PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amfhgj32.exe

Filesize
64KB

MD5
9a678e9de50a0f5a3f2b05dbf19efd19

SHA1
ba257f651f31400e2d32265adf1e7c33ef9606c5

SHA256
d76e09c2eb0fc47f1f035d966625b824ec7b064ca8e54a9fca8f014134cad48c

SHA512
e4a022ccba6e19fe0fe0321e9239064d6a05f12d2e7a1df9193324ffec8fc17571c3b095d73507c5f5147d8626facdcb064a905bdb73d072be1b5615aac8a375

Download Submit
C:\Windows\SysWOW64\Ammnhilb.exe

Filesize
64KB

MD5
5bc1b9e88d1c57c97ebfea7337ad7ff2

SHA1
ed9df789ed25ff4865a7baaac93e436ca204f16a

SHA256
0b4e4b571c3f1ae79ea5b05c988b763bd61977a987d31123f8da7e96e09ff119

SHA512
d51a02db965df9a3cb3d0d01fe3ea8f3bbd7edae97f0e0f957276c9b5b874ce65eef36c6e359b2aae84c065814eaea286b051f32c1689d5cfb61c7fc8a518255

Download Submit
C:\Windows\SysWOW64\Beoimjce.exe

Filesize
64KB

MD5
aee262261c7bd63751b8aa479bacea1a

SHA1
d1dde415ec17cae58d1bc4beae9d4432df74287a

SHA256
4697fc5a16d73faa58b90baa1bd58139bc1221412872e88c96668f69ff1be7cb

SHA512
bc33db5cf0837d2dde02295d935556e61fb1a0ea93275e96d7eabf921522a83bc98ee3f7c170bec4c409731db395b9326041af574060d9c8e7cf24cf5ea8233f

Download Submit
C:\Windows\SysWOW64\Bfhofnpp.exe

Filesize
64KB

MD5
b29ff24a065a3a3341b15e73528fe42d

SHA1
510693dfd126201dcebf0dadb3040dc16aac1142

SHA256
0ea56e4cf3bbc4c80190294f6445145913cc9b64f7e5376d37f0bf2490aa440f

SHA512
400e2b40914e04202bf46d247dfc35d96292107e7145de948980354a96d97d0c6b631aa6b420df1487e6b07cb4291293a3c21a8198cad02869b37d9f58a45076

Download Submit
C:\Windows\SysWOW64\Bimach32.exe

Filesize
64KB

MD5
8c9a871d430c893e75e32c934fa3663d

SHA1
a0257fe3e44f2bbfbb70d064df02e20ba9a52298

SHA256
a637508a64ad68c9d7fc78907bedb4ebae137a00d2f0880d44886dda4b084e03

SHA512
5fbeae3ceced309cabf729c43285b77422c1b32bccde3a086096f3567a52790a177cadcce301926d1650c93daeb8b152d6a826a0c38e6c00a913dbab77fbf7f8

Download Submit
C:\Windows\SysWOW64\Cbjogmlf.exe

Filesize
64KB

MD5
8c0040315d4bab53c4a19e253a8ec9a9

SHA1
9de70bd96b9cc297898588033b15733af253f360

SHA256
f49e419b4b42d0d85ce9fde4adc988c4babe95ad3aedf3929698120285fb7217

SHA512
7d7312f1fe15e686d8fbe0b9a695139e350025781a1949ae742cdb417098545ec3cdf8e953f65790ae9ca6fbeafd30c236a34dd999fe9cdc39ee8305375247c1

Download Submit
C:\Windows\SysWOW64\Cbmlmmjd.exe

Filesize
64KB

MD5
562248df63ae53136f582fdde9c5472d

SHA1
60a2c8bae4f88d37885de17ada6d824643258a53

SHA256
8b7a391b20c49ed22838aaed36c181db6e3ad69b3f7ea79805e6c41edad745c5

SHA512
b10bf16a923a68f271e4985e0bcaa90f1e84ad6ac15c51a885679046522683d06440179405c0a0cbf30f1170f57eb1f34b925b7ba1b9812ac45a07e9c32a26a5

Download Submit
C:\Windows\SysWOW64\Cdebfago.exe

Filesize
64KB

MD5
2692c9b0d4f653c5853b6d7f71440368

SHA1
b3eb27d05f9091d6f80a499d81d2914342dfaf69

SHA256
a10a3c6ff5f527d6d43b569c54a262ab650419076c572d735d517c45616c2770

SHA512
5907c876e08f7a442612d8f0338234f31bf774f92bde251076cdc7591833bd320e81e8a28b168161ac94f1234f1bd3f6a156aebbb4ca9643909360dd04ba814e

Download Submit
C:\Windows\SysWOW64\Cpcila32.exe

Filesize
64KB

MD5
a036c8c2f605739d15dc7cde32cfdff2

SHA1
38a6d3867e2ed01cc7f5efcc0e730b84ac4bc30a

SHA256
e81f6e1c2d6b7b17bc696f01cbd2803f89ee88daf7b5b1ff85b1e6c0f967129c

SHA512
2a147807163057b76c5a92b86365011bebb27003f933f89d01c9e824188ac3de30c75aff7e1a6376996b73a127917149a64326d773e68a993238f38da387409f

Download Submit
C:\Windows\SysWOW64\Dedkogqm.exe

Filesize
64KB

MD5
76036718c886f7f4b6928699cc93874e

SHA1
56aaf0aaf7686a0ad1f3880aaf4e7987fe8a1eb5

SHA256
756ea86c9d1952374a17fe1d752438d0545ba4877ff354001628e65b621d40b5

SHA512
4a676b27a5ccdfe76f8fef0390708e6248e84fe59e23681f0c66773b52c84d6502ac2ac7c15337bf975a789f8002cb12edd19b346c3602d6d06513546064c34a

Download Submit
C:\Windows\SysWOW64\Dibdeegc.exe

Filesize
64KB

MD5
78b9569783e08f9ba1f97d7c3c3b1497

SHA1
d61268cdfc142b3b59428c4437ed9c61d50f1210

SHA256
a261d6d1c6ebf86542d02bbcf1f7174ab9eaa33199383eeb2878634909f50860

SHA512
6b5ab243cdf9fffe4bee84adf12286175d9afc8891710bba326076461eeb6d7a046c1ac0f79437ce2b47de4b680666cf9ca9dbbd19d5f4b72d70b333afae0fc6

Download Submit
C:\Windows\SysWOW64\Dllffa32.exe

Filesize
64KB

MD5
417751bed358b861681a312904af7fb1

SHA1
220c2fd69ad4081cd61e1ec1e7df5f165de07990

SHA256
092d792fb311c88ee169cf030a908bb9a42acf1783503dc710afad79485bfa22

SHA512
89d6ea8d2f69f11c760ae4d2c3f4182f0c44a641849b1ef34104277bec0520a5f364524a1d5da89ec20d9fc0bd1667b2185289a0e5240b1abd53228e814b4e4f

Download Submit
C:\Windows\SysWOW64\Dpefaq32.exe

Filesize
64KB

MD5
094fe3731c19597fff6bbfba014c5ddd

SHA1
4d7831a7d1076ec4651d95f083ab920646bc5df1

SHA256
14a24b562665606ee12d67f133901ffc86d3082813c9269e2752a264df95c435

SHA512
7acbf7b6019b1e1f4b1362513f44f97f66ab6b569842f19478e1aee85d2a45c700a08d36d7ffa876d9b7273701129569858ba63635e8b5a6450e18ce0ea5466e

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
64KB

MD5
237e0f3b00aa4330b46bb5f448630325

SHA1
731476aefe14cb82316f65b55278be69dc2dc893

SHA256
cdc0e2d5776ca7c28e41f26dcb002049f7ecd3f98788a12473076d566f27f27b

SHA512
961054822fea68e1c84e7686aa18f44223d747b0f66322063994d6a9753f78909b723147090e16fe40936ae0fe29dbc1e402ed83304d5c5d7a97d618e523e672

Download Submit
C:\Windows\SysWOW64\Mhpgca32.exe

Filesize
64KB

MD5
789940c571b07a5207fe736d445e53bd

SHA1
b95ff6a490bd8afa26431f62e207323b598b5df8

SHA256
a1f08334294595d70573614a9d9b17f6c3e7031748ee9b6b6e32891c4933d259

SHA512
e2d0b7bb0e4f74093c6fda1d572a84fde141c7f44ccdb4f9f1e492dcf8de01ca0810b5e8995da9589138f61668744387e4e408b4b3e1a2be687a2d73f54773fb

Download Submit
C:\Windows\SysWOW64\Mojopk32.exe

Filesize
64KB

MD5
91582b6e9e3dd43dfe782ed054e2a875

SHA1
580dbb2426a746092664a6591f0cc194570e1460

SHA256
fdc8432058da08ca232bed03ecb1dd379b77dbb7130362d3c34b9afe7dc9e5f2

SHA512
16dc936ea24e88eae13de4cae06a3e1d5caf9cd7a905086d529a2d72967b2ef39da1b34b386829e2bfd1cebfb2d0ea270ea901d9c6125b4e4bf4edc21ba94dcc

Download Submit
C:\Windows\SysWOW64\Namegfql.exe

Filesize
64KB

MD5
69629d977054420c354a020085e6a627

SHA1
72cff9a194cd911a31728c7f6d02cd9964b64c52

SHA256
de66d762670bd059355c78128cf48107a464411a20e11603be57ab07a66a6884

SHA512
170161098abc0963d0883ede9c55b2ff91113b1b19b36985bf9a16d5041782eee00865b0bfbc5147892c0f6f58cd9831c63094a48fe3ee2cec07815d71dc9ee0

Download Submit
C:\Windows\SysWOW64\Nbbnbemf.exe

Filesize
64KB

MD5
fa20665d479336ea662a2d9f0c1bf21b

SHA1
e86e5a3ed8e9a9dfc6ce8bc9c2b69e7a435af548

SHA256
f7f780b41382d85665fe0bd0df47fe022cd744eec0c50621cc052518e6a7a34d

SHA512
6eb42067e8fff4cf6de4e40219a43231b5774ab2ecb8ac4aa241def2a24b0e40b9f53760f23f93250ee699fc289d106d6d1f5a34b87683ba595baa8866de4eab

Download Submit
C:\Windows\SysWOW64\Ndidna32.exe

Filesize
64KB

MD5
82e895d826a9d08c370e7ebf5123313d

SHA1
51d101c8671ba24103bb3e470c320ba6cde57c44

SHA256
1fcdda128ee8659e6495b454e6af7226a7082e72a8d7cf33ccc6ff0061cbbfe0

SHA512
5f1b706427f5ebfa66f458837f810feea393a156b82358c44f394736d70369e2d98b11bfae08da6be6be3d94a735ee18f18cff56277284500cbd549a3950f874

Download Submit
C:\Windows\SysWOW64\Ndlacapp.exe

Filesize
64KB

MD5
2f0088c705dcb2b8e3bbbf46574d23a7

SHA1
2f29329549257e7625cbe0f5092058a9f44c7273

SHA256
62ff6ebe9f60709e533a2f31010319438be13616bc2f6e296f5c98379491aa9f

SHA512
3b24b3f1e692a3cd6a8db4b4421cb85227bd5cf67a9c18fbf8a43b7c4bc8a945507fd968846a06afeb989a406474ebef8f6710906b7bdd9a2d509d69ec5e2989

Download Submit
C:\Windows\SysWOW64\Nfknmd32.exe

Filesize
64KB

MD5
e0f212ae1d0ba08ee832df2c2dcafd53

SHA1
4dfbc54ca20545b82fb1d63f886808e5f90e570f

SHA256
82aa4a5d01e07053c8dff3e8d15a4b9e04b424d41bfe7ed3422d983a489387dd

SHA512
c878543c0f3ff25e4cd9709157ce5431e8ef12ccaa6e249808f64cdf1a50fa97ef89f80059f91d57bd58ef9bd72456e55782b5d653ae78be895f6c7f3b0a2cd8

Download Submit
C:\Windows\SysWOW64\Nkcmjlio.exe

Filesize
64KB

MD5
2cbce7cf765d702739aec8f4839ac3b1

SHA1
8581672363f163f7b32af0385efb34df6bbe1bb9

SHA256
e695e37322b0d9e3977fbb11b2a4a006085e6e361b07684ad77b5ecd23f6b710

SHA512
cf4fc2e46d6ab1da6d6addc328787ac1ddec5880ac31ed16a46861a96b4ed39f8998692c529b733b8839c2aec0e63582cf8f5d8364167bcdc113d5bc0426ac38

Download Submit
C:\Windows\SysWOW64\Nkeipk32.exe

Filesize
64KB

MD5
f8f230a55c560b2b0661235490cb1337

SHA1
1992b906b2878e2de7cb374c6bd0aee8687abb7e

SHA256
32b6f3532ba09a10ff718d69b7879608b7613567cc744b7d74ebafc26328b2f2

SHA512
15537154afe6e325f020c0e101552d7cf21af9ce5584334afaff65ecbda1c54c2cdcc24712f4ef71cb7f168d8c09158cdef54030165656c037fa4c74f8fce917

Download Submit
C:\Windows\SysWOW64\Nocbfjmc.exe

Filesize
64KB

MD5
65497619f7b82121c4d7aa6b2ccf7f91

SHA1
ee547b0144439834737eeeac82b269b9ba843142

SHA256
e0c2058aadc2c03ae71c2fbef17c65b49bbdff1ff9a83fab1721f50ffd35b831

SHA512
1723a3da33a863ddb80f3e09e47e865b558063e66129b92adb84a481f8aca1ccd731b7e4ec7b3b8e98de19855e323ddce293ffb908efc020c720b9269efd5fa1

Download Submit
C:\Windows\SysWOW64\Nofoki32.exe

Filesize
64KB

MD5
c5b99a5c2a45dc1b3eca7bacf9710e39

SHA1
79839617f258cbdb9653e1161ae7f6b899abe7ca

SHA256
0938fe23eb6c970feb08aa4121b97d5e3ba99ae4ce6ad0cecb257aad70600ca9

SHA512
f6674bee3fd70c63601660cad973afc2831ad8b92af91cb3f3c6fd62a57359f020d8049c2f3eea04b280af34ecadb877dff0d3c4dc218fc66fe42840a5304e04

Download Submit
C:\Windows\SysWOW64\Nomlek32.exe

Filesize
64KB

MD5
db4894a7118fca49caaea881a9af4d02

SHA1
48e387ca9acd93f8e41bef11bb4c755c238c42c9

SHA256
0fa6b118a470b1dbdd98c11fe9d346704f7c1dacd11c689f04c6de7b4d9cd736

SHA512
843d7fb6671058e19b44e1fc84f64ff2453281303548cac9db8e5c3a55d39dabf1e9b963b0775e3eb41e881473c7f6c8e8388e42c1615f2b15d75a89cda4fda5

Download Submit
C:\Windows\SysWOW64\Obpkcc32.exe

Filesize
64KB

MD5
b359f4cbcf95fc56739a403c1c5f460f

SHA1
46a12524771096618a3082ede1e7167507aa8e20

SHA256
d41e4816113535269425ea15deef9ca78e9309bbc8c67f4f414999c614861e53

SHA512
39a4b8f212b1692a650b6baf1a9b719d5a16c342dfe3b6c79dc1129608f8141b3cd8b9e623eee7eb1e9c2b267a50099b679ec400f8198967217ec9194bb9c0b9

Download Submit
C:\Windows\SysWOW64\Ocdgahag.exe

Filesize
64KB

MD5
0ebfcc8e8aa6a26616cf694a812fcf49

SHA1
cfdfa903b450bcaa7663bdd1b4077eaf671049c1

SHA256
826e8a9b19a96d3352062d2426a619d1fef11f0f6660d8abf43f82d2dd2be987

SHA512
a2aedcd08aecd89f3a1aa59cdf2e66848822e44b89bc07008c31a995ac76ec4c7537007752691db4bb4f5a774de8997e769374be3bca825e6a024eda04438b03

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
64KB

MD5
ed506c7e7dfaa395a4820d8f33773211

SHA1
13034a260cac25ebf4980e212bf871744cdd6d08

SHA256
2a839ec24ad34a5caf02b2fa75b6ed4e9b1da360be56676bd454bae2a9d6ca34

SHA512
d08120804fe3706eeaeec2bfc4cccf69a12260e0671a7e049324896c3084f9ea5a009a7b0cee7bbe168ce95e2de9a6679ef4a069c513eb833edcecacf48f718d

Download Submit
C:\Windows\SysWOW64\Ofgmib32.exe

Filesize
64KB

MD5
888e7afbbb11f58c1cc802d799d97c4f

SHA1
93f67059e5c88e6bfef3636c673a4f39d7c5e5c6

SHA256
797df0b0d94457989f33b430c2b69af2805d3c16a7d744db89a9f981dd28b218

SHA512
6f6d7caeab68f31fd2b22033448917af4f525fde998c81a99f28db4186fd5c48b7a3d63145c31e767f6a253f9db31da7b69f58dc7ab2ac38a701b40ba679976a

Download Submit
C:\Windows\SysWOW64\Ofijnbkb.exe

Filesize
64KB

MD5
aa8033047d4c3334bee19e1f482f0929

SHA1
b91ecf59d2c83af339e0de2d70e5223773d2e2ad

SHA256
410b21a23166b1ef258d1d2a4e33ba952f28ba0d29aa859f38692a058fc27a16

SHA512
79d37023dca8136a24b428b6d08e7c168e11dbcf8ffa15827bb93f9d96bd93837316a3a3177551518a6a2b0238bf81d7bacc2e5f11658e08ffde6b120f8b819f

Download Submit
C:\Windows\SysWOW64\Ohcmpn32.exe

Filesize
64KB

MD5
1b52a1061191bb2a7f96f09b9c87f313

SHA1
be2ac571aa5bf3f62c2f27f0b1e00b94adcef5b7

SHA256
35586b1095c57d1c1493216149fffb81c8c9c12348cc52538e1d9c72725e568d

SHA512
1d1357623976ab2ee8b65e2e23ba16c3d50f7a06a093b419beeff93904d2aecbbb8e878377adc8bc7ee5d43caea0a1f0f60a2ab1a94b4ba21917d19ccb14d27f

Download Submit
C:\Windows\SysWOW64\Oheienli.exe

Filesize
64KB

MD5
c026691955b470f059b71b166aee1187

SHA1
42e3ad8150636ec78e32ebbb1cfc8022f41b4a56

SHA256
0e399ca0db365d4281cf88e97107c90a0b47e64b173b570dce3142c4446a1835

SHA512
2d2538c9e03452ca7e4d51279bd69697011c8aafba455fb747fb078f05c61738060635fce97643d1dff1d2e2f99b4e7d47527b9ccafa5d33e8dd1a054ec83643

Download Submit
C:\Windows\SysWOW64\Okmpqjad.exe

Filesize
64KB

MD5
27c3769a47b64021b54dbdbd52e35e9a

SHA1
e3d60611a1ed7492797c2a5148d8e82bd8c407c6

SHA256
39f213d8f48bce5807971f6e7cd0d97db464ae99ce0df754764cadf02fa6b6db

SHA512
8533ec2ee0b410808968c005bfc08b4561923a01d49e1c6f0276e19d4798a79b86f4a89c3c84bac86e4b576ce9e453964c69c769522c0e546f51e9a8e276aaaf

Download Submit
C:\Windows\SysWOW64\Oloipmfd.exe

Filesize
64KB

MD5
b8f1553172f90785ebe3364c799dd0c8

SHA1
316e48a2e8e5b975cc53cd8f4f5c9f62732fa643

SHA256
0140000454808c14fe3c00cef4b6946104398e7adec1344d8aa3d913e93868ce

SHA512
035e93bf51e4206c9f3e72455a298aa58dd7a16d4f96259b7e02fcd38f2138641c0b956d858d8f83fdcee7d0e349a6875cf303d4569bd61ce980c7fba1225765

Download Submit
C:\Windows\SysWOW64\Oomelheh.exe

Filesize
64KB

MD5
f914a7a42957477311c36cd432c77087

SHA1
ce1f30121034d752c75794fe706bd0541c82ed61

SHA256
ed314206cccc56825c7c97d18990d9f9329bc8d6ec45f4a0028eeb622914a095

SHA512
c8b2da88a201cc5772fb838fd135451a27ff651fb2f160fa8c21161934fe9bb36f5d71bb49ed045f26cff59423933a85108e77af2011dfe0549201ef37dee0bd

Download Submit
C:\Windows\SysWOW64\Pbddobla.exe

Filesize
64KB

MD5
6bf13f2da612708c49120f3ac51f4166

SHA1
7459a1b94dfe336dc36a8b9387d19b5b88af0ade

SHA256
cece337ab9f43158292d55c416813d8c498fe88a40b12a0ff5eaaa005b6aae7f

SHA512
41c6be6d8b3c11324a7b5efeb33005ffd24d4b1510375909f3f7e878578e2e5a494231fc4250f7f9e454b90b55979ab01c2c2ca4626d02ec991da59093b3cb25

Download Submit
C:\Windows\SysWOW64\Pecpknke.exe

Filesize
64KB

MD5
eabc310826b9c9871d4996d31b3ce87f

SHA1
1c9c6a8943b4782fbe9a9b320ac679008754c934

SHA256
1c18cb66cb24e1ef6ff52f139f0b558c8f3fccdfaeed44053c67311d7a8a70cf

SHA512
9bda83138590390620966229a65651ff18715250bc937022c812a23db9f758f956729d7ec224a78645b54632a433c041d137232c279aa729d9d4ff03c7a1d81f

Download Submit
C:\Windows\SysWOW64\Pfncia32.exe

Filesize
64KB

MD5
5e07c9b17d85ab9152394bbe7b27e3bb

SHA1
47b5b88059945d860f951bef2b6d4be5bfadba02

SHA256
079e771bfedf8693673b5ca86eabac32494703b8a95d0f650eca39d96d162179

SHA512
10c5136176a6c40d233c61e701a6723e5adf843f6a9a79dded3e834b4e703c79e287a5e4ca156785fe869bc266c596443b96ae2a845f8c7a2f84c34642160f84

Download Submit
C:\Windows\SysWOW64\Piaiqlak.exe

Filesize
64KB

MD5
283940dd4921c22ea38936aaaa3620a8

SHA1
a37fca0b44619e4cd77847265c2c3c1634ad4c3a

SHA256
f5b49c7a3a5f05cda56eb27f10e4afc54cf986a2a3aa904b4f63b76cacfccc5f

SHA512
317af6804dfd2be26451496acae60e93f266f80087dcae4fba78d053f6524351dc410ff78bdf3cc6d2fe41c0b7d32b9d133ef9427ec38d1ea12f2ef951fd7ea7

Download Submit
C:\Windows\SysWOW64\Pkabbgol.exe

Filesize
64KB

MD5
a7ec788b1850c8febe48101644bbdd92

SHA1
2fa53622a3bf1c1aad17c9b5563b0a0ce99757dd

SHA256
2f7e234dc350bee588eb5fc71c52108470029cf975838966f43a36dcfc319c1b

SHA512
ca8ffbe5cb76903f67c8d70141318dcc718c18623c61b21a3ab438218a2d34fc4feb3b6752695d17fb11a3c17ed79f88e40f983f7b10c44ea0022041bf599d34

Download Submit
C:\Windows\SysWOW64\Podkmgop.exe

Filesize
64KB

MD5
07ccf8c4555a5d734a0e8d54874013dc

SHA1
10f2128b49ecdc4274ef2b048718b771b28124d3

SHA256
78da1c17755f90ff5d2831056aab731706fb2b4d461908a17f7d10baad025e08

SHA512
e6bc963d335281f0777cd32526584a9611a1badac538c674fd9635a7cc012f901d919bf1c29998a781681929e3281744ea0283cdc59058dd2cb7fd675753330b

Download Submit
C:\Windows\SysWOW64\Pokanf32.exe

Filesize
64KB

MD5
1fd0f545c55babe164c89e887b019fb3

SHA1
7632577dbae61eb26c6ed6ed9fcf234f39470530

SHA256
b8b24fd7194ea792b65fa44548274c0552d764298079b5dcad2eb3edbbe997cc

SHA512
2964c8fe3fe16142905ecac308797dca23882eb56b135a62bdc460cf525cb833f0ddb8a473f6362c30d090c7dcdbc1826e48ec0cc6d6a7b8bc1092d3806e1fbe

Download Submit
C:\Windows\SysWOW64\Qbngeadf.exe

Filesize
64KB

MD5
83a639db0c350f05340710054ba76c79

SHA1
b97ca5e7e22437471d2a81f88c5d21f5ef611d4f

SHA256
99e16c280bd50d0d27b04db8efbfe44575afb3b394cd22af206a77f77d469e62

SHA512
ab8240cd0d6ac3b325eb8c113fa9065e7049e624ccf4e8d452b46f3db12bffc85732a85ce306075c75c9233d844482be4f16e75f2eb5a184649845488d20ff1b

Download Submit
C:\Windows\SysWOW64\Qifbll32.exe

Filesize
64KB

MD5
e53ebbc0e246d35a51d4646512959ac2

SHA1
49856d1403b3e77e3533fc1be8196aabed135580

SHA256
82bc4445ab7b3fd8866a9a772fb2f5ef64915be64b4d2f412db534a476f21889

SHA512
306ca5a528a02b1567fc727d11cfd2e2231534af1377fb21b78dd1f86ad5ce47438bbfeb95625b9f289e40cd4ed2a5e12e2c47c85b92158f903344e7bf41b8fc

Download Submit
memory/432-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/512-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/660-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/660-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1116-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1116-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1292-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1292-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1420-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1420-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1484-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3176-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3176-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3796-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3796-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4708-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4708-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads