40d6dd0e3b4c5c07ec0f6a52d858ac0cbcd1a68699497aa86d8ee0a66d13664d

Analysis

max time kernel
104s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 02:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e089d94cbb678247fb602e631e796840N.exe
Size

80KB
MD5

e089d94cbb678247fb602e631e796840
SHA1

732df5382c870a56d99d1b158354a488d437a17d
SHA256

40d6dd0e3b4c5c07ec0f6a52d858ac0cbcd1a68699497aa86d8ee0a66d13664d
SHA512

d22e8df862ccadbe18726d98aeb0c35596d1d8f203b0dd3878b02b0a9f4f47d3628148bdbcee5889e6c67eac8544cc0990b8b3f8801e0da364c02cc4c898af60
SSDEEP

1536:DOVG0ch8X1bg7HPKWM1uVdLsnR85YMkhohBE8VGh:DOs0j9grZ6nRoUAEQGh

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e089d94cbb678247fb602e631e796840N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e089d94cbb678247fb602e631e796840N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe

Executes dropped EXE 64 IoCs

pid	Process
2556	Lpqiemge.exe
1960	Lboeaifi.exe
3828	Lenamdem.exe
4036	Liimncmf.exe
1076	Ldoaklml.exe
4736	Lgmngglp.exe
2028	Likjcbkc.exe
388	Ldanqkki.exe
2772	Lebkhc32.exe
4608	Lllcen32.exe
4952	Mbfkbhpa.exe
2768	Mipcob32.exe
4508	Mlopkm32.exe
3592	Mdehlk32.exe
3308	Megdccmb.exe
4488	Mlampmdo.exe
4728	Mckemg32.exe
1104	Miemjaci.exe
4720	Mpoefk32.exe
1128	Mgimcebb.exe
5088	Migjoaaf.exe
3292	Mpablkhc.exe
4424	Mgkjhe32.exe
2680	Mnebeogl.exe
220	Mlhbal32.exe
3628	Ndokbi32.exe
3448	Nilcjp32.exe
4296	Npfkgjdn.exe
3084	Ngpccdlj.exe
3172	Njnpppkn.exe
4768	Nphhmj32.exe
4288	Ngbpidjh.exe
1176	Njqmepik.exe
2120	Nloiakho.exe
4932	Ndfqbhia.exe
3584	Ngdmod32.exe
4500	Njciko32.exe
2060	Nlaegk32.exe
2512	Ndhmhh32.exe
1788	Nggjdc32.exe
2108	Nnqbanmo.exe
4448	Olcbmj32.exe
1480	Ocnjidkf.exe
3604	Olfobjbg.exe
3216	Odmgcgbi.exe
2660	Ogkcpbam.exe
1536	Ojjolnaq.exe
2336	Opdghh32.exe
4340	Odocigqg.exe
4860	Ofqpqo32.exe
652	Ojllan32.exe
3716	Odapnf32.exe
4280	Ogpmjb32.exe
1456	Ojoign32.exe
2396	Oqhacgdh.exe
1460	Ogbipa32.exe
4688	Pnlaml32.exe
2588	Pgefeajb.exe
3656	Pjcbbmif.exe
408	Pclgkb32.exe
5044	Pjeoglgc.exe
4836	Pqpgdfnp.exe
4120	Anmjcieo.exe
4708	Adgbpc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Gjeieojj.dll	Ldanqkki.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Ngbpidjh.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Fplmmdoj.dll	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Hleecc32.dll	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Lllcen32.exe	Lebkhc32.exe
File opened for modification	C:\Windows\SysWOW64\Liimncmf.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6212	5892	WerFault.exe	222

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e089d94cbb678247fb602e631e796840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaeokj32.dll"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e089d94cbb678247fb602e631e796840N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jholncde.dll"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Olfobjbg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 2556	668	e089d94cbb678247fb602e631e796840N.exe	84
PID 668 wrote to memory of 2556	668	e089d94cbb678247fb602e631e796840N.exe	84
PID 668 wrote to memory of 2556	668	e089d94cbb678247fb602e631e796840N.exe	84
PID 2556 wrote to memory of 1960	2556	Lpqiemge.exe	85
PID 2556 wrote to memory of 1960	2556	Lpqiemge.exe	85
PID 2556 wrote to memory of 1960	2556	Lpqiemge.exe	85
PID 1960 wrote to memory of 3828	1960	Lboeaifi.exe	86
PID 1960 wrote to memory of 3828	1960	Lboeaifi.exe	86
PID 1960 wrote to memory of 3828	1960	Lboeaifi.exe	86
PID 3828 wrote to memory of 4036	3828	Lenamdem.exe	87
PID 3828 wrote to memory of 4036	3828	Lenamdem.exe	87
PID 3828 wrote to memory of 4036	3828	Lenamdem.exe	87
PID 4036 wrote to memory of 1076	4036	Liimncmf.exe	88
PID 4036 wrote to memory of 1076	4036	Liimncmf.exe	88
PID 4036 wrote to memory of 1076	4036	Liimncmf.exe	88
PID 1076 wrote to memory of 4736	1076	Ldoaklml.exe	89
PID 1076 wrote to memory of 4736	1076	Ldoaklml.exe	89
PID 1076 wrote to memory of 4736	1076	Ldoaklml.exe	89
PID 4736 wrote to memory of 2028	4736	Lgmngglp.exe	90
PID 4736 wrote to memory of 2028	4736	Lgmngglp.exe	90
PID 4736 wrote to memory of 2028	4736	Lgmngglp.exe	90
PID 2028 wrote to memory of 388	2028	Likjcbkc.exe	91
PID 2028 wrote to memory of 388	2028	Likjcbkc.exe	91
PID 2028 wrote to memory of 388	2028	Likjcbkc.exe	91
PID 388 wrote to memory of 2772	388	Ldanqkki.exe	93
PID 388 wrote to memory of 2772	388	Ldanqkki.exe	93
PID 388 wrote to memory of 2772	388	Ldanqkki.exe	93
PID 2772 wrote to memory of 4608	2772	Lebkhc32.exe	94
PID 2772 wrote to memory of 4608	2772	Lebkhc32.exe	94
PID 2772 wrote to memory of 4608	2772	Lebkhc32.exe	94
PID 4608 wrote to memory of 4952	4608	Lllcen32.exe	95
PID 4608 wrote to memory of 4952	4608	Lllcen32.exe	95
PID 4608 wrote to memory of 4952	4608	Lllcen32.exe	95
PID 4952 wrote to memory of 2768	4952	Mbfkbhpa.exe	96
PID 4952 wrote to memory of 2768	4952	Mbfkbhpa.exe	96
PID 4952 wrote to memory of 2768	4952	Mbfkbhpa.exe	96
PID 2768 wrote to memory of 4508	2768	Mipcob32.exe	97
PID 2768 wrote to memory of 4508	2768	Mipcob32.exe	97
PID 2768 wrote to memory of 4508	2768	Mipcob32.exe	97
PID 4508 wrote to memory of 3592	4508	Mlopkm32.exe	98
PID 4508 wrote to memory of 3592	4508	Mlopkm32.exe	98
PID 4508 wrote to memory of 3592	4508	Mlopkm32.exe	98
PID 3592 wrote to memory of 3308	3592	Mdehlk32.exe	99
PID 3592 wrote to memory of 3308	3592	Mdehlk32.exe	99
PID 3592 wrote to memory of 3308	3592	Mdehlk32.exe	99
PID 3308 wrote to memory of 4488	3308	Megdccmb.exe	100
PID 3308 wrote to memory of 4488	3308	Megdccmb.exe	100
PID 3308 wrote to memory of 4488	3308	Megdccmb.exe	100
PID 4488 wrote to memory of 4728	4488	Mlampmdo.exe	102
PID 4488 wrote to memory of 4728	4488	Mlampmdo.exe	102
PID 4488 wrote to memory of 4728	4488	Mlampmdo.exe	102
PID 4728 wrote to memory of 1104	4728	Mckemg32.exe	103
PID 4728 wrote to memory of 1104	4728	Mckemg32.exe	103
PID 4728 wrote to memory of 1104	4728	Mckemg32.exe	103
PID 1104 wrote to memory of 4720	1104	Miemjaci.exe	104
PID 1104 wrote to memory of 4720	1104	Miemjaci.exe	104
PID 1104 wrote to memory of 4720	1104	Miemjaci.exe	104
PID 4720 wrote to memory of 1128	4720	Mpoefk32.exe	105
PID 4720 wrote to memory of 1128	4720	Mpoefk32.exe	105
PID 4720 wrote to memory of 1128	4720	Mpoefk32.exe	105
PID 1128 wrote to memory of 5088	1128	Mgimcebb.exe	107
PID 1128 wrote to memory of 5088	1128	Mgimcebb.exe	107
PID 1128 wrote to memory of 5088	1128	Mgimcebb.exe	107
PID 5088 wrote to memory of 3292	5088	Migjoaaf.exe	108

C:\Users\Admin\AppData\Local\Temp\e089d94cbb678247fb602e631e796840N.exe
"C:\Users\Admin\AppData\Local\Temp\e089d94cbb678247fb602e631e796840N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\SysWOW64\Lpqiemge.exe
  C:\Windows\system32\Lpqiemge.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\Lboeaifi.exe
    C:\Windows\system32\Lboeaifi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\SysWOW64\Lenamdem.exe
      C:\Windows\system32\Lenamdem.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3828
    - - C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4036
      - C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        35⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        46⤵
        Executes dropped EXE
        
        PID:3216
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        64⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        68⤵
        Drops file in System32 directory
        
        PID:3884
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        69⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        71⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5344
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        90⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        99⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        100⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        107⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        109⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        110⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5640
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        113⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        114⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        123⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        128⤵
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        131⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1488
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        133⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        134⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5892 -s 396
        135⤵
        Program crash
        
        PID:6212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5892 -ip 5892
1⤵
PID:6168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
80KB

MD5
5a9dc885414528ebf6493335cb214672

SHA1
6a45830d9efed4fe92be505688a9aff65e9d8a28

SHA256
df0c91676681212ae5bf44c216ed7c620ac2e3c0d330f41b17d59f8d1ea16204

SHA512
6b1b0019b0b655aa389a71c2d9faa7c4c0fa610ee935a36c6ed8046c89afee56433f0dcef018363c79da0c0b8efcc1df32b095631103b1b10cb18b70ccb5e58e

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
80KB

MD5
a3162939ab439e85ffcc0a248b434b32

SHA1
946d604b49f49473c01c68e3045515c74c606e14

SHA256
4040e987e0972e96b0f42ca7fb75dec0f0678bc0a7894a64c0b56b8e6d9d1bcc

SHA512
3d7b8d0062cfaf325ebfe917eaea6f5b2c81dfd3a82453e9c2444f2c2bcb25d956777f068f82b9c825458cebcb2dea15d56bb49d70a84f72f2a5ddaf74dcaac5

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
80KB

MD5
468d23b8c71c3a203c9c1f011a779485

SHA1
dc265d0bb78a3dba2a69f93a9d6fe4cb3e242bac

SHA256
105acf7fb958925efe9559b7d7564ec8884d0fa1ddcf38000cb88cddb15f1046

SHA512
8c1eafbddbcca01c97ca987e8f2878b7ce80857fb2decd9f1c8c6232678cad24240c02f1ed9ed1a4c2640bfc71727ced9437a3610fe682b37f90f065fe5e86df

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
80KB

MD5
32db26d827a1848b0e3b98f3bca80b0e

SHA1
531b821f173e468f7d105eb20c3d30e747cba4e0

SHA256
cc46a9296c87edf69aaa3e72a81787fd73222bf27fd87cc948ff69c54e536090

SHA512
fd1bdcf12b118477637d4988dc9510ae431e56bf1ee45ef83f8276088ced55075297fbbebf85123a1899a6fdd5afdf4be3d1c87a2e015ea15c4ae16b62ad0500

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
80KB

MD5
7d5745bebdf90004cb3a238f681085ee

SHA1
6bb2a49e10d1670c2d12b87512627f6989690adc

SHA256
f8da6b573ea214e9a5e7eab84a69f260c0dd8700264fcc783512f208fb8cb5f4

SHA512
bf465b1bd6bfdfbc398f048069c0907265fb59aad2d2bddfad7d8aaedc3abd9b0677e4e17c26313337de8586ea303bc7bc27630e9d70a788de59d759f21fb8e5

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
80KB

MD5
90108094f9a823a039d7d9dffd8c86f9

SHA1
4997b798d74f56beed6025ac7f311443b90d2c27

SHA256
44dcb54024accb4cf536928e7f84c65a82968ff34ea785fb71a1baf29d81326e

SHA512
0ccf424b6caebe62c60a8ce06286289aa021f2760528fd23f7950dee86afe291839d79098854f015ab33a05756793c1bd590c0824eb142e1751d57ee31191ea7

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
80KB

MD5
d172eb8e342acb02aac1d8b4cd3ff05c

SHA1
c4c6c1830afe04667c587f42675a0b7f917cac07

SHA256
a49df272251aff7c74b371b272d5af074fc225e6c3f8d1159a0c2dde5ce890a0

SHA512
101b262236d0a908f77d27fc834a6c503965a78d6d70d859c244d97def5bde0ebc9644200f739854389e053565d2c4eaf069c1dd83a4b3e152144bb1fbd3bbfd

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
80KB

MD5
0bbbd2a4c3589281fba15f92fd68e781

SHA1
1d4bf1804be070c963d9f46868f68158ee5866fa

SHA256
1fc8e126fafce0b438c810f47d3538c900be1c5bc3e509fc4ee1090337c0feee

SHA512
46ef9b161cf8bf9f5a15ed194081edcdc0046ed55e49138f337af0710332c0e5cc7e740b535f8c37c5279ddf0594f180b14f58ca6e9ede59076f2d7bc25397e8

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
80KB

MD5
41d7d2d8cc7ff693193b1598377014fb

SHA1
f0f9dcf01bc226d14aacc29fdef5319e6f9ccd3a

SHA256
977a7c0f4148e2f7e01538b207186e69d3a35477ff97d6497f949262e0453578

SHA512
18ca8c45eb6873d580ecead5ff899a5db943be6a923d082e0dfa64fea5d16e17d32e2a9df6b0ef6580b247ae30c8ba781dc2234087b05fbe93123f3a825c755f

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
80KB

MD5
ec9d4f8e9cbf040882ef3c1d08f6f22f

SHA1
1df11be82b2f669f7730b3285f44a147ab78fec6

SHA256
273ab91cf6da8854e92d87cd2961161a58f6d825c0b26e0a02dbe9617f1d645e

SHA512
d0f6468a5e0ca0fdbe190745c3dc3bfaea89b74d4ec0e4ebaf874d4286454158fe3f9943d518ef8c27455d8725f769f38882f7752a3a294a63ddabb8a119ec52

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
80KB

MD5
b53618be87598df83fae2bd8a390e0c4

SHA1
9f8338ff759df9960cd7d674c033e86dd09db691

SHA256
3f401e6c0b0386d035017b4b2032b70b46f02a237cab7efd19348c7cdeb104e8

SHA512
5e34b75d9fc141ce87857dd9692bd3ee70703b9eaab22d839f10ece985be08fba4a26e27d70c62d86e502df3b3b638133683c99b332ec435eca970385b7038db

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
80KB

MD5
6ea72fa0fd5b7a4a9e7c0ad7d0ead8f9

SHA1
c136c5842c4fc39e44d83deef11282865d830514

SHA256
e5cf17d0ed5eef13115ced78f367e7670490eeb5d0efa97cd4133a3b1cf7c1a4

SHA512
343083c9aa482aff04ad040ea6d58c8813ee0b7f15d2df311767c32bf481066945863970f4d512669fd44ef9f9509d3d24878fffa55de87ec15576f0430370eb

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
80KB

MD5
2f90b32979841ef173d682dbbac30faa

SHA1
97606a82734d6dc9161566b1304aa54cd932b4dd

SHA256
a24ba5e0bd01ecf1a2d43b97e4c7e196817fac83faa4a0ecff975eb485e1b744

SHA512
20cb30cc728f2b1698cf2b6f27101089a9d5576d1c2b04920c3b5787c58460b4f4e570a3480f2dd41f0737d701cf11d94758c186ea495c3f5c31672f10c6839f

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
80KB

MD5
aed0bd58324b9fbc054ac13ee6c94959

SHA1
ca0de12e28c35e3842268f86d45088d6fb324c80

SHA256
54861d07c406c94ced022262f6238c0ca47f243e889296305a401a9e78158bc0

SHA512
f7ca422a9774239bbc04d68ed41e10011927216689154505fd5e9387c8e838cc5db29ed746a7f34f9a4fbadbc97b4bf0f6b066e35ba46daaa4b175a640d0316f

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
80KB

MD5
69d6f55fb3711c98ae3f1afea8cf5668

SHA1
a37e45f4c4900b9ea9b88ef8f44ac39e4117b246

SHA256
0362dd368559dd9370bf14db4b4c33b0ed694d378fbe1254caa19515c115318a

SHA512
ab1ab1445f5b17a0ec5dc02c5ac42c9951ce134203f09a7d6de56a13c73877f3022bf53aba0ab369c063ff70a595c4cd83fb975752ccd2f58a176d7d5f203069

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
80KB

MD5
0773b3457f2ea1f6fa2ffaee12ba7ddd

SHA1
673cb68929cafef2c18b1afccc0c151463866dce

SHA256
f6a670cfc5d34be5636947768a90bf353c171afeeda43cb80bcb52c708b5d774

SHA512
77e5ead3c8539b9f176694fd7d23f8b0908d09f90791765f3f5f9371c05df1c3e56ee18b28cc0354b7b4c96ad06610c8e17aa93cb32955b048ff3d70b02584be

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
80KB

MD5
98194b742f3dbb9b8c29400e0116e39c

SHA1
40725e53d93255289cb5168592e12490c9c59eb1

SHA256
fcd5eee20ba967974c8fd0a09eb57a4c418978404fa10f7071fa3a6d2cba21ed

SHA512
e2725b84c60f1a04836badab8dde316612ae0eb13154c54a123c8410cbf9297187f773d70905e5d7dff0f0fda59328714affd4a3188de330b5e09daebc59c049

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
80KB

MD5
15b041aef27b58c93f5733dcf1b3a325

SHA1
4954ec70a41a682c6f6b97d75ed6accb1ddafdf9

SHA256
f7bc7969b6263d9e3872087444507391fd66ecf0612dc85a6b0672a34b6c805c

SHA512
215a459854fe33d0d9faf52cabd771351e2c96e8902d2f434ae881f480b09afd7618fa12a41fcb9186b7a5040354878b159d806860cb3c9c72aae58c98f93615

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
80KB

MD5
5b1865ad6c5a6e02251f17fc4a74a1d8

SHA1
20e2af7696ec3ed7e0201b81faa434657803a244

SHA256
252c8835e2a0f47bdb2825d2c7bcb9eb70ea1f6f830e5b5abdc9f13808d34efe

SHA512
00a278f683ce396bb877ecc0b361af56a990c3db2f487216f301f706d94ae3551714600ac7891ad7a196c8bd615c770d743f1af4b4885c33a34c0e7a2d3ffb94

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
80KB

MD5
d7ddbef1989b8cbd4c8c1060d3e5eb76

SHA1
146ff4a3b9a9507fb0a2c1691aa1cacff5a372a5

SHA256
13d896a91749e1a654795953f3b35ee2e1e93fd00c8a97af6d67bbfbb0b0bcc6

SHA512
5b940478b67f783ff2ffad31480ae36d9bd6f49074600ea4dabac7467886bde2ea6f82c85862938351d95d890efe93df012ae5ff3c548f24fc41b12d0bb39df2

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
80KB

MD5
9126eff66083ef5c6a1228de42ad03c9

SHA1
fe3e54ff8c774ab237368de9d7abc62fb1e2e6f9

SHA256
8b8752d5c9980b69dd421a9bdd61135e9653c445c881708643fc4dc7018c8c16

SHA512
f5f56e5d6c0a62a217496e00dbcce9dbfa473a51d4117daf8757e2ee453e66974b9b77345b3ac096d3778b9af9b88f1d8d7c17361c1dca28b0ece44a499f2ef2

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
80KB

MD5
6ae3ff8209b95298d37664b4679272e8

SHA1
ece71971b493114ea0ccd2716caf492d0feb9233

SHA256
b13f58aece83591cf75db9b545c3906a906a38ce460e13315f196bea8a40b8d5

SHA512
ceb6036cfab3a0e7a75a4ecc80f1089ca4367ec9910b155ed923596dc1d5a184424a6122f1a9b05244e00ae99c8d862efccf9ee133d73e9b084a6170e9318270

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
80KB

MD5
c169d6e4b0adb71b0135152842d13cee

SHA1
423d0d30874d835031c67f1a7ee78199edc67270

SHA256
bc8e1e60201c071d7b6695bcadb122d216467786558c637fb71553e35e915bb8

SHA512
3c83990f670ce264284e3f1b027b9f2f10150ec81e415db863c2b2d7ea291d28ddbd5eb12a1fb2bbcc92c626eecdb9de5a2b5d2c48dd3c702ce9293c432fbb9d

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
80KB

MD5
51d538d5a1da2374241229f0e49daebf

SHA1
734c170609b951f637f442c9868ea95955565e32

SHA256
80e4868f5ae1002eda0974fa5dedbdb65072f79b69a4dc20d3a66c7a4051a96d

SHA512
ea69a5d78a2a0ce3844407e40f9210c4ae6dd5e2265e577ab962682cbca582ac59b47c34461c9c5a83a4dce1162888ba97c83551df344aeb223e4e4d1baded21

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
80KB

MD5
c1d23f958cfb4d4a94012cfc5755312d

SHA1
a8a0cce7e5ca89e60148c3a583cb5b013120e8cd

SHA256
9d075228be02130c8d5d0432e8596eb39702f97a03e447f1097e7aba42dfd4e8

SHA512
6a4baf0ef5e65a54860ae2f670d8cbad182de91dc82426a2a9078f8ae4b9c3974e9e47659dd36a7727c0b8b5d27512f2206cc92e7ffc1caeb25fca1892abfd04

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
80KB

MD5
b020d3b930925fec189e3f4257f2c065

SHA1
c7afaae32308ab4a6ad7685ac4f8d2d3045775bb

SHA256
a27f090f27802636c33f718350f4183e47596cbedbddcd62e18d2fe0a961a1c7

SHA512
7122532764e11851de3d6a8fbee99ee2dfdbe47ab1500d6c45a7bcc70624acc286881b3f9f47bd7b72bd8a1873a4557965d9e6e5dd9bd2f9ac76fbeb950a768d

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
80KB

MD5
44d0e25f763247e743b757a573942d91

SHA1
e3722ec4c0698b1fe65b75698e2a0920e45a2ca1

SHA256
d18784350957f79f4e8d61d5169fd20e4bb639b8bc934e552a9b9587bbb10bf1

SHA512
d827b0b3ba573c4031ac7c030370f117787c88011e17ec095dfbea20a879b97f722ba578b51d5b46c90d8eb96f4fe46a42281f6fb5af4a60e9402eccc666d330

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
80KB

MD5
2ef4f1665e01689fae7a12cea2e919c8

SHA1
93fda4646554445e8778fafa059e4b59bcacdb86

SHA256
23c9293f1bacf7c637d309b5bbb66e879abe579814a6591157b77beef02b0b64

SHA512
47679e8ffbc6de72c94eb624f0cff504c43e2c2e6c0e1680f532b8e5b4bb0a2a74928634c4e0da25d60dabad822ac6a3ddadb0c25cc5eb34f7c9af984b577c4e

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
80KB

MD5
16d1100ce7a4e3040930c0ccf860990a

SHA1
8e0b36b1448718b0df7a5524f33c6790fd422192

SHA256
9d96060cd7778214c225f1de958e03619804e21b9540edd668c30eeec269c5ee

SHA512
01a8503a323a3e3c547d740053aa0c4715472955aa3d12a6269a661d51eab31e3dddc22a9af37db4ae94b99225d88fa01e54c8f9327f585f10c2f00d441cc7a2

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
80KB

MD5
a434926b12d46774663952c3a5456db9

SHA1
34b98a08b0412fe6c4c0bf39a64c2926ae6675e0

SHA256
e9aec4f1fc87a30a37370cc04e7dc44c510486cba66ca88fa7907841f6857abf

SHA512
3f2675baf5ad995441ca693023ad8a0a888bfbefa6a7fbf048bb7bd7c819a018552c7dad9856ed17163b54f51be364f06562f3ed052db7e844e99f00fdeb7b1f

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
80KB

MD5
3db66a2cb274be13458b157b935a3558

SHA1
eb41a1d1db9a6d62846ed464400978b747f9ddaf

SHA256
9e7edc45ae9946970b7d94cd92a78489415ede9fe9faf26ddb38a41e862abc8a

SHA512
58b87feff6a2c82736aeff82a6583fb4893c7432400c3e3de6fb684df53d4b8077f61eb64c6c590c5ab4ed4d1c212df21de9c4fb27730c1d1e4e6b59d74f1a43

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
80KB

MD5
f079d153ceb8ede40ad59e64b6721044

SHA1
f3d8209c87eeecf2eeea24b819de9509a7a4e1a5

SHA256
d10a44fae3c670d5320b8ed1c6938f3673c615db08ac99636937bb90036e98b5

SHA512
202ddcb3d553daff0a5e0b5b4735db1ca62d651f595b57e30baf912acb2206ee3c820888deb0e83b5d432c372622139d794b940ff040367edace17f12c95cf1c

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
80KB

MD5
8a4cc7e620c7f885b9477b8d16dacaad

SHA1
76b1ba7a27e598e9aefd0dc23b93b7bad773d252

SHA256
646e2ea14ccd7402c4583e3405822c6523870956d7f4ca07bdd2536c5db3a306

SHA512
a98eac8578c184d4582e8169188c2c97059026cf90b85455b8a1b9b4386f947125ab46811f6b9ead1d7d9c73f39009a35fd81703cedb554af09d014c323104ce

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
80KB

MD5
5f792ed44fc357fb86e7984f841dba90

SHA1
81054e9d1f0300981008b7b4ff26a7617d847dfc

SHA256
81c8b8798d7c30098d1b8317b3fc2732eaa5028e91b2a5f66f7599b80aa1c4fa

SHA512
50d329e900d2ed03ae06452b8a84ba3048b95139be484f904d670685fac1334a5ea2d5e87785f7e59bb32891dd9dbc30312f99326c6770e4cd8d12492f4c9460

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
80KB

MD5
4880ed1b6834b4ff04bd583fa0ac98a5

SHA1
4d46eb10c4de7c833f2582f70617fe164d7a36c2

SHA256
940a6a0cc2f9596636f89b5f53d58fa210594b8848cc96108e52bb3feae8d02d

SHA512
1cafd089dcfa05da2489e40ce2e3d3c05e07c5fa3099e84b148c572cc6536aeab2a3288ca734bcba66d22f185796fb2524d7404bcae160e666a74eaa568c223c

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
80KB

MD5
51071185ac3028fed9edba0810ce9814

SHA1
e4930cc1c3f0a486adec7bef454fce764cf95dcf

SHA256
fd11229bb1a67a5e5da02e5b431f9b79c3c5e8ee9d82d7cb4f589f05cddf81db

SHA512
dc9dc6db684c2792c3c0978678aa0f4d9ae6c6ad45a49042dbce55a7d11ac3ea6e02d3cb7099f48e4b1ceaefd75daaffa58ff79274c9d20b5d9ab757f10538b0

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
80KB

MD5
f9cceccfa123c3f945cfa4a9eb4060c3

SHA1
45d2a8b31b2cfaae292a20d2bf9d6de9b186ae52

SHA256
294f3f60f0b2eba86c81df283a4f746f17eedc8424d3f3ef95f8b42640d53c51

SHA512
267f33d12ba295529a920d0789261ebabc9335075023e6da2dbc126847defbf94a5de7316789dcfd3bd365e118fbfaca9f6d33ad678621868bb1e078fba2e9d4

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
80KB

MD5
451d0ba64d1f42a46199ff00bb1356a6

SHA1
aeef4d3cff1ba3f128bdda5956d4bc52af0bb4a7

SHA256
bf0a3811924cc296a2a9d9a63423abae0461376dc002e4465cf3bdfe78999deb

SHA512
e6dcd2c4751035f7f3270d4ad3cc1616741586ba3b25287d0a6b081938d5e1700541d583720f7661f920fd28980a55ae6a1bc51a00fc39b9860d499102ac20f9

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
64KB

MD5
307b777c04a9f7f25059d891f895c22c

SHA1
de6d254fd0f194a8f9e44d7ca4ba97acb6fd0c47

SHA256
edd0c462dba9ea18236f4589c268ca09362b10077859085d30dee669f0e84237

SHA512
f081a2ff0eab2d53935f605f153944208937b2ac12fe42aab08d0cba4593c898831d64913cef6bd2f59d06318251f6eb9f5b04995f88ddbf6e0267a970912375

Download Submit
memory/220-204-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/388-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/388-598-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/408-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/652-370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/668-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/668-544-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/740-490-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1076-582-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1076-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1104-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1128-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1176-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1356-542-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1456-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1460-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1480-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1788-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-558-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2028-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2028-591-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2060-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2108-314-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2332-514-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2336-356-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2348-526-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-502-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2512-302-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2556-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2556-551-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2588-412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2660-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2680-196-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2768-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2772-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3068-472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3084-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3172-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3216-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3292-175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3308-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3448-215-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3584-284-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3592-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3604-333-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3628-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3656-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3716-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3828-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3884-466-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4032-454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4036-571-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4036-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4120-442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4132-520-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4228-460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4244-478-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4280-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4288-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4296-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4340-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4364-496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4424-183-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4448-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4488-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4500-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4508-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-556-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4608-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4664-488-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4688-406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4708-448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4720-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4728-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4736-52-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4768-247-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4808-508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4836-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4860-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4932-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4948-545-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4952-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5036-536-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5044-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5088-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5140-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5184-565-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5224-572-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5268-583-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5312-589-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5344-592-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5400-599-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads