c1ae63ae4fbdea11333e939987e01c5a3c81da60705e27a885aa461215499156

Analysis

max time kernel
115s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

860e96a8c451ab3f9444aa684dee86c0N.exe
Size

80KB
MD5

860e96a8c451ab3f9444aa684dee86c0
SHA1

3ba2318b643c1ba33ac4886bd59ee10754a8c211
SHA256

c1ae63ae4fbdea11333e939987e01c5a3c81da60705e27a885aa461215499156
SHA512

c1cd6f07d82b8466cc305d137f784e23ba1190ae614ed74032bb3aa868bcf7a65dc2f498e515ca938fb027539fdc222755a239e33cec3fc8db8600702cefcedf
SSDEEP

1536:pLYMWgeRgxRCnHuLqR168l/k/PKpMiVXN+zL20gJi1i9:qRgxRCnHuLq1Pl4tiVXgzL20WKS

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Memalfcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alpnde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhjjip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oomelheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dllffa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhnjna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocfdgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afeban32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bedbhi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clbdpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhbciqln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Almanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bppcpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blgddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nofoki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejobk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blnjecfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mebkge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmagch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmkcpdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aealll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmfqngcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgqie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bihhhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afeban32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohhfknjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdngpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afqifo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhnjna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ollljmhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhfknjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mekdffee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhjjip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bihhhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlcidopb.exe

Executes dropped EXE 64 IoCs

pid	Process
756	Mekdffee.exe
4044	Mhiabbdi.exe
4160	Mcoepkdo.exe
2960	Memalfcb.exe
2120	Mhknhabf.exe
648	Mhnjna32.exe
3120	Mccokj32.exe
4304	Mebkge32.exe
1172	Mkocol32.exe
4776	Medglemj.exe
4908	Nhbciqln.exe
4640	Nchhfild.exe
4132	Nkcmjlio.exe
1728	Ncjdki32.exe
3456	Nlcidopb.exe
3716	Ncmaai32.exe
464	Ndnnianm.exe
404	Nhjjip32.exe
4184	Nkhfek32.exe
1064	Nocbfjmc.exe
2008	Nbbnbemf.exe
4460	Ndpjnq32.exe
1688	Nkjckkcg.exe
4224	Nofoki32.exe
3672	Ncaklhdi.exe
4680	Nfpghccm.exe
2500	Ohncdobq.exe
1960	Oljoen32.exe
2692	Okmpqjad.exe
2128	Ocdgahag.exe
2020	Ofbdncaj.exe
2772	Odedipge.exe
5056	Ollljmhg.exe
1704	Ookhfigk.exe
5000	Ocfdgg32.exe
2748	Ofdqcc32.exe
4700	Odgqopeb.exe
2032	Oloipmfd.exe
2552	Oomelheh.exe
64	Ochamg32.exe
3372	Ofgmib32.exe
2400	Oheienli.exe
2208	Omaeem32.exe
3160	Oooaah32.exe
4800	Ocknbglo.exe
3184	Ofijnbkb.exe
868	Ohhfknjf.exe
3688	Okfbgiij.exe
2116	Pdngpo32.exe
964	Pcpgmf32.exe
2540	Pdqcenmg.exe
3332	Pmhkflnj.exe
2680	Pcbdcf32.exe
1268	Pecpknke.exe
4420	Pkmhgh32.exe
2784	Pbgqdb32.exe
1784	Pfbmdabh.exe
3712	Pcfmneaa.exe
4064	Pmoagk32.exe
876	Qfgfpp32.exe
3916	Qkdohg32.exe
5028	Qfjcep32.exe
1692	Qmckbjdl.exe
5128	Aflpkpjm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Medglemj.exe	Mkocol32.exe
File created	C:\Windows\SysWOW64\Aiaeig32.dll	Odedipge.exe
File created	C:\Windows\SysWOW64\Hmjmqdci.dll	Albkieqj.exe
File created	C:\Windows\SysWOW64\Bpgnmlep.dll	Clbdpc32.exe
File created	C:\Windows\SysWOW64\Amkejmgc.dll	Cfhhml32.exe
File opened for modification	C:\Windows\SysWOW64\Mekdffee.exe	860e96a8c451ab3f9444aa684dee86c0N.exe
File created	C:\Windows\SysWOW64\Cdlhgpag.exe	Cleqfb32.exe
File opened for modification	C:\Windows\SysWOW64\Dinjjf32.exe	Dbcbnlcl.exe
File created	C:\Windows\SysWOW64\Dfhegp32.dll	Ofbdncaj.exe
File opened for modification	C:\Windows\SysWOW64\Ohncdobq.exe	Nfpghccm.exe
File opened for modification	C:\Windows\SysWOW64\Bppcpc32.exe	Bmagch32.exe
File opened for modification	C:\Windows\SysWOW64\Bikeni32.exe	Bflham32.exe
File created	C:\Windows\SysWOW64\Cffkhl32.exe	Cdgolq32.exe
File opened for modification	C:\Windows\SysWOW64\Dfakcj32.exe	Ddcogo32.exe
File opened for modification	C:\Windows\SysWOW64\Defheg32.exe	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Nchhfild.exe	Nhbciqln.exe
File created	C:\Windows\SysWOW64\Bcicjbal.exe	Albkieqj.exe
File created	C:\Windows\SysWOW64\Bcnleb32.exe	Blgddd32.exe
File created	C:\Windows\SysWOW64\Dbcbnlcl.exe	Dpefaq32.exe
File created	C:\Windows\SysWOW64\Nkcmjlio.exe	Nchhfild.exe
File opened for modification	C:\Windows\SysWOW64\Pcfmneaa.exe	Pfbmdabh.exe
File created	C:\Windows\SysWOW64\Afeban32.exe	Acgfec32.exe
File created	C:\Windows\SysWOW64\Dbhlikpf.exe	Dpjompqc.exe
File created	C:\Windows\SysWOW64\Efhodebp.dll	860e96a8c451ab3f9444aa684dee86c0N.exe
File created	C:\Windows\SysWOW64\Lggfcd32.dll	Memalfcb.exe
File opened for modification	C:\Windows\SysWOW64\Memalfcb.exe	Mcoepkdo.exe
File created	C:\Windows\SysWOW64\Oqlbphhk.dll	Mhiabbdi.exe
File created	C:\Windows\SysWOW64\Okmpqjad.exe	Oljoen32.exe
File created	C:\Windows\SysWOW64\Ohpcjnil.dll	Omaeem32.exe
File created	C:\Windows\SysWOW64\Kfhfap32.dll	Afeban32.exe
File created	C:\Windows\SysWOW64\Kipiefce.dll	Bcicjbal.exe
File created	C:\Windows\SysWOW64\Blgddd32.exe	Bihhhi32.exe
File opened for modification	C:\Windows\SysWOW64\Mcoepkdo.exe	Mhiabbdi.exe
File opened for modification	C:\Windows\SysWOW64\Ncaklhdi.exe	Nofoki32.exe
File created	C:\Windows\SysWOW64\Jdaaqg32.dll	Oheienli.exe
File created	C:\Windows\SysWOW64\Okfbgiij.exe	Ohhfknjf.exe
File opened for modification	C:\Windows\SysWOW64\Qmckbjdl.exe	Qfjcep32.exe
File created	C:\Windows\SysWOW64\Bihhhi32.exe	Bfjllnnm.exe
File created	C:\Windows\SysWOW64\Ldhopqko.dll	Bikeni32.exe
File created	C:\Windows\SysWOW64\Bedbhi32.exe	Bfabmmhe.exe
File created	C:\Windows\SysWOW64\Ndpjnq32.exe	Nbbnbemf.exe
File opened for modification	C:\Windows\SysWOW64\Cfhhml32.exe	Clbdpc32.exe
File opened for modification	C:\Windows\SysWOW64\Oljoen32.exe	Ohncdobq.exe
File created	C:\Windows\SysWOW64\Kpdejagg.dll	Nchhfild.exe
File opened for modification	C:\Windows\SysWOW64\Nkhfek32.exe	Nhjjip32.exe
File opened for modification	C:\Windows\SysWOW64\Aimhmkgn.exe	Aealll32.exe
File created	C:\Windows\SysWOW64\Bikeni32.exe	Bflham32.exe
File created	C:\Windows\SysWOW64\Nkeoha32.dll	Bimach32.exe
File created	C:\Windows\SysWOW64\Clpgkcdj.exe	Cfcoblfb.exe
File created	C:\Windows\SysWOW64\Cmiikpek.dll	Cdlhgpag.exe
File created	C:\Windows\SysWOW64\Dedkogqm.exe	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Nkhfek32.exe	Nhjjip32.exe
File opened for modification	C:\Windows\SysWOW64\Dpjompqc.exe	Dmkcpdao.exe
File opened for modification	C:\Windows\SysWOW64\Ndnnianm.exe	Ncmaai32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjckkcg.exe	Ndpjnq32.exe
File opened for modification	C:\Windows\SysWOW64\Ofbdncaj.exe	Ocdgahag.exe
File created	C:\Windows\SysWOW64\Ndnnianm.exe	Ncmaai32.exe
File opened for modification	C:\Windows\SysWOW64\Nocbfjmc.exe	Nkhfek32.exe
File created	C:\Windows\SysWOW64\Pqoppk32.dll	Ofijnbkb.exe
File opened for modification	C:\Windows\SysWOW64\Bfabmmhe.exe	Bpgjpb32.exe
File created	C:\Windows\SysWOW64\Fkiecbnd.dll	Cbhbbn32.exe
File created	C:\Windows\SysWOW64\Eicfep32.dll	Ciknefmk.exe
File created	C:\Windows\SysWOW64\Aojbfccl.dll	Mccokj32.exe
File created	C:\Windows\SysWOW64\Cbpijjbj.dll	Ohncdobq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6520	6428	WerFault.exe	221

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlhgpag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmahknh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjcep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beaecjab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabmmhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejobk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpefaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinjjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oljoen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfbgiij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bimach32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ochamg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbgqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bblcfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cleqfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhhbngi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mccokj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjckkcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfjllnnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clpgkcdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbpjfij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkocol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbnbemf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdgahag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfgfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhnjna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjdki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbmdabh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmagch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmfqngcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjompqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okmpqjad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdqcenmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbcbnlcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defheg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfpghccm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecpknke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcnleb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhhml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhfknjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Almanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bppcpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnnianm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nocbfjmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpjnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blgddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Albkieqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciknefmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofbdncaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomelheh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiabhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffkhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgqopeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cemeoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfakcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	860e96a8c451ab3f9444aa684dee86c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obkcmi32.dll"	Alpnde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmfqngcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiiibnn.dll"	Cmbpjfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	860e96a8c451ab3f9444aa684dee86c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pecpknke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabmmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clpgkcdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmbpjfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlaofoa.dll"	Apgqie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhbciqln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijbed32.dll"	Ndpjnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdgahag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkiigchm.dll"	Pecpknke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hblaceei.dll"	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iojghflb.dll"	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lggfcd32.dll"	Memalfcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhnjna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbbnbemf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdgahag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpiidi32.dll"	Bejobk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfjllnnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgoikbje.dll"	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjokai32.dll"	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejobk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchhia32.dll"	Clpgkcdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhjjip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afeban32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddhhbngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daphho32.dll"	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdqcenmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kannaq32.dll"	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bflham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bedbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Defheg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Almanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afeban32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Albkieqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piifjomf.dll"	Bpgjpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clpgkcdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clgmkbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpldj32.dll"	Ofdqcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofgmib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebeaf32.dll"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aiabhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkebqokl.dll"	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmglfe32.dll"	Bcnleb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffkhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohncdobq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oomelheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfpghccm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiaeig32.dll"	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqjhif32.dll"	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aioebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddhhbngi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 756	2328	860e96a8c451ab3f9444aa684dee86c0N.exe	91
PID 2328 wrote to memory of 756	2328	860e96a8c451ab3f9444aa684dee86c0N.exe	91
PID 2328 wrote to memory of 756	2328	860e96a8c451ab3f9444aa684dee86c0N.exe	91
PID 756 wrote to memory of 4044	756	Mekdffee.exe	92
PID 756 wrote to memory of 4044	756	Mekdffee.exe	92
PID 756 wrote to memory of 4044	756	Mekdffee.exe	92
PID 4044 wrote to memory of 4160	4044	Mhiabbdi.exe	93
PID 4044 wrote to memory of 4160	4044	Mhiabbdi.exe	93
PID 4044 wrote to memory of 4160	4044	Mhiabbdi.exe	93
PID 4160 wrote to memory of 2960	4160	Mcoepkdo.exe	94
PID 4160 wrote to memory of 2960	4160	Mcoepkdo.exe	94
PID 4160 wrote to memory of 2960	4160	Mcoepkdo.exe	94
PID 2960 wrote to memory of 2120	2960	Memalfcb.exe	95
PID 2960 wrote to memory of 2120	2960	Memalfcb.exe	95
PID 2960 wrote to memory of 2120	2960	Memalfcb.exe	95
PID 2120 wrote to memory of 648	2120	Mhknhabf.exe	96
PID 2120 wrote to memory of 648	2120	Mhknhabf.exe	96
PID 2120 wrote to memory of 648	2120	Mhknhabf.exe	96
PID 648 wrote to memory of 3120	648	Mhnjna32.exe	97
PID 648 wrote to memory of 3120	648	Mhnjna32.exe	97
PID 648 wrote to memory of 3120	648	Mhnjna32.exe	97
PID 3120 wrote to memory of 4304	3120	Mccokj32.exe	98
PID 3120 wrote to memory of 4304	3120	Mccokj32.exe	98
PID 3120 wrote to memory of 4304	3120	Mccokj32.exe	98
PID 4304 wrote to memory of 1172	4304	Mebkge32.exe	99
PID 4304 wrote to memory of 1172	4304	Mebkge32.exe	99
PID 4304 wrote to memory of 1172	4304	Mebkge32.exe	99
PID 1172 wrote to memory of 4776	1172	Mkocol32.exe	100
PID 1172 wrote to memory of 4776	1172	Mkocol32.exe	100
PID 1172 wrote to memory of 4776	1172	Mkocol32.exe	100
PID 4776 wrote to memory of 4908	4776	Medglemj.exe	101
PID 4776 wrote to memory of 4908	4776	Medglemj.exe	101
PID 4776 wrote to memory of 4908	4776	Medglemj.exe	101
PID 4908 wrote to memory of 4640	4908	Nhbciqln.exe	102
PID 4908 wrote to memory of 4640	4908	Nhbciqln.exe	102
PID 4908 wrote to memory of 4640	4908	Nhbciqln.exe	102
PID 4640 wrote to memory of 4132	4640	Nchhfild.exe	103
PID 4640 wrote to memory of 4132	4640	Nchhfild.exe	103
PID 4640 wrote to memory of 4132	4640	Nchhfild.exe	103
PID 4132 wrote to memory of 1728	4132	Nkcmjlio.exe	104
PID 4132 wrote to memory of 1728	4132	Nkcmjlio.exe	104
PID 4132 wrote to memory of 1728	4132	Nkcmjlio.exe	104
PID 1728 wrote to memory of 3456	1728	Ncjdki32.exe	105
PID 1728 wrote to memory of 3456	1728	Ncjdki32.exe	105
PID 1728 wrote to memory of 3456	1728	Ncjdki32.exe	105
PID 3456 wrote to memory of 3716	3456	Nlcidopb.exe	106
PID 3456 wrote to memory of 3716	3456	Nlcidopb.exe	106
PID 3456 wrote to memory of 3716	3456	Nlcidopb.exe	106
PID 3716 wrote to memory of 464	3716	Ncmaai32.exe	108
PID 3716 wrote to memory of 464	3716	Ncmaai32.exe	108
PID 3716 wrote to memory of 464	3716	Ncmaai32.exe	108
PID 464 wrote to memory of 404	464	Ndnnianm.exe	109
PID 464 wrote to memory of 404	464	Ndnnianm.exe	109
PID 464 wrote to memory of 404	464	Ndnnianm.exe	109
PID 404 wrote to memory of 4184	404	Nhjjip32.exe	110
PID 404 wrote to memory of 4184	404	Nhjjip32.exe	110
PID 404 wrote to memory of 4184	404	Nhjjip32.exe	110
PID 4184 wrote to memory of 1064	4184	Nkhfek32.exe	111
PID 4184 wrote to memory of 1064	4184	Nkhfek32.exe	111
PID 4184 wrote to memory of 1064	4184	Nkhfek32.exe	111
PID 1064 wrote to memory of 2008	1064	Nocbfjmc.exe	112
PID 1064 wrote to memory of 2008	1064	Nocbfjmc.exe	112
PID 1064 wrote to memory of 2008	1064	Nocbfjmc.exe	112
PID 2008 wrote to memory of 4460	2008	Nbbnbemf.exe	113

C:\Users\Admin\AppData\Local\Temp\860e96a8c451ab3f9444aa684dee86c0N.exe
"C:\Users\Admin\AppData\Local\Temp\860e96a8c451ab3f9444aa684dee86c0N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\Mekdffee.exe
  C:\Windows\system32\Mekdffee.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\Mhiabbdi.exe
    C:\Windows\system32\Mhiabbdi.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\SysWOW64\Mcoepkdo.exe
      C:\Windows\system32\Mcoepkdo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4160
    - - C:\Windows\SysWOW64\Memalfcb.exe
        
        C:\Windows\system32\Memalfcb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\SysWOW64\Mhknhabf.exe
        
        C:\Windows\system32\Mhknhabf.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\Mccokj32.exe
        
        C:\Windows\system32\Mccokj32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Nbbnbemf.exe
        
        C:\Windows\system32\Nbbnbemf.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        26⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Ocdgahag.exe
        
        C:\Windows\system32\Ocdgahag.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        39⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Omaeem32.exe
        
        C:\Windows\system32\Omaeem32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        45⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        46⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3184
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        66⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        68⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Afqifo32.exe
        
        C:\Windows\system32\Afqifo32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Almanf32.exe
        
        C:\Windows\system32\Almanf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Abgjkpll.exe
        
        C:\Windows\system32\Abgjkpll.exe
        73⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Alpnde32.exe
        
        C:\Windows\system32\Alpnde32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Acgfec32.exe
        
        C:\Windows\system32\Acgfec32.exe
        76⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Afeban32.exe
        
        C:\Windows\system32\Afeban32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        78⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Albkieqj.exe
        
        C:\Windows\system32\Albkieqj.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Bcicjbal.exe
        
        C:\Windows\system32\Bcicjbal.exe
        80⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Bblcfo32.exe
        
        C:\Windows\system32\Bblcfo32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Bmagch32.exe
        
        C:\Windows\system32\Bmagch32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\Bppcpc32.exe
        
        C:\Windows\system32\Bppcpc32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\Bboplo32.exe
        
        C:\Windows\system32\Bboplo32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6068
        
        C:\Windows\SysWOW64\Bfjllnnm.exe
        
        C:\Windows\system32\Bfjllnnm.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Bihhhi32.exe
        
        C:\Windows\system32\Bihhhi32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\Blgddd32.exe
        
        C:\Windows\system32\Blgddd32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Bcnleb32.exe
        
        C:\Windows\system32\Bcnleb32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Bflham32.exe
        
        C:\Windows\system32\Bflham32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Bikeni32.exe
        
        C:\Windows\system32\Bikeni32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Bmfqngcg.exe
        
        C:\Windows\system32\Bmfqngcg.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Bimach32.exe
        
        C:\Windows\system32\Bimach32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\Bpgjpb32.exe
        
        C:\Windows\system32\Bpgjpb32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Bfabmmhe.exe
        
        C:\Windows\system32\Bfabmmhe.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Bedbhi32.exe
        
        C:\Windows\system32\Bedbhi32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Blnjecfl.exe
        
        C:\Windows\system32\Blnjecfl.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Cbhbbn32.exe
        
        C:\Windows\system32\Cbhbbn32.exe
        100⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Cfcoblfb.exe
        
        C:\Windows\system32\Cfcoblfb.exe
        101⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Cdgolq32.exe
        
        C:\Windows\system32\Cdgolq32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Cffkhl32.exe
        
        C:\Windows\system32\Cffkhl32.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Clbdpc32.exe
        
        C:\Windows\system32\Clbdpc32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Cfhhml32.exe
        
        C:\Windows\system32\Cfhhml32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Cmbpjfij.exe
        
        C:\Windows\system32\Cmbpjfij.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Cleqfb32.exe
        
        C:\Windows\system32\Cleqfb32.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\Cemeoh32.exe
        
        C:\Windows\system32\Cemeoh32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Clgmkbna.exe
        
        C:\Windows\system32\Clgmkbna.exe
        111⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Cfmahknh.exe
        
        C:\Windows\system32\Cfmahknh.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Dbcbnlcl.exe
        
        C:\Windows\system32\Dbcbnlcl.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Dllffa32.exe
        
        C:\Windows\system32\Dllffa32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Dedkogqm.exe
        
        C:\Windows\system32\Dedkogqm.exe
        120⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6204
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        123⤵
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        125⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Ddhhbngi.exe
        
        C:\Windows\system32\Ddhhbngi.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        127⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6428 -s 400
        128⤵
        Program crash
        
        PID:6520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 6428 -ip 6428
1⤵
PID:6492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:8
1⤵
PID:6872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abgjkpll.exe

Filesize
80KB

MD5
081816bcf4839c2251c9ba0ce63584f1

SHA1
f5f0f7cf47a9079ba5022eb12327d051272202a7

SHA256
f8418bf1a412aaabd078528d1c4acb00922de2367353ae7ad4bf286bb65f955d

SHA512
7d1d62790292cf24c009e489a3b19b74d7477dc343ffea1b9b84ebbc638e65defce428bdb2f2447f9d8894af81433bbb85cc46d6bec8ff3d0307e9d46c412aac

Download Submit
C:\Windows\SysWOW64\Afqifo32.exe

Filesize
80KB

MD5
c15106a36d52e89b9e4f79e8e7ecad8c

SHA1
b74e746de38e636b34f7cd67217a57ebf4c25bff

SHA256
2c2e8578bf91b751ef4db22683b0eb9d98a1f944c330cc0e60849a570e90e4d2

SHA512
4cf2a21cbc5c54ba82295e1fc38b2345b20bdd9ab24cd01e93481792279b3ba244dd33054a5572cb0288215116f5539e8d4bb8e25d9204b604aca9f74d71f87c

Download Submit
C:\Windows\SysWOW64\Bpgjpb32.exe

Filesize
80KB

MD5
be2319e4070ebf6a5216a48d01453d04

SHA1
9f55be6c852d9e029f63a23366439b480ab0f2ac

SHA256
8033ee4bbec932c306cd30912c6755fe83a3ce0662407b2b101918c9ae38a408

SHA512
d02ad5d962f2b71c98720a6938b5d393d64ba7f2642d1a178f2a1b9d8278ec11d263b28ffd66f0d9fa4ac7a32138df90c0473394219a5588510cfb612f866567

Download Submit
C:\Windows\SysWOW64\Clbdpc32.exe

Filesize
80KB

MD5
c5828ecaede7b94597a77f6ff7a6d218

SHA1
edbead3a110564fa5aceb352d7a07d994fb65131

SHA256
a51e2035f34d9914c52433cbdb0f1c9c733c19113aeb981d633d2894ee28716e

SHA512
54c6873ce0a42a7daeae1ecf3503fe59dc84aa1de3759a909eb8527d4bda40571c7090f156a11a2d0ca70717e42a1ad61f4057a57bf89c7dcac13891673bab36

Download Submit
C:\Windows\SysWOW64\Clgmkbna.exe

Filesize
80KB

MD5
e2126e2357dc1168fb387a6c5d89d94a

SHA1
974450ad18cc88abb2c4252feb40a87743f3ac2b

SHA256
24cfad917be93af356322528936e0000e15ca79713de8a9b48030fe90ae387bc

SHA512
6beb5a55558296db67f1e6a91bc7d0f791455c14ca4b6dbad9bc6a38cae9040acbd2f17623675d20a587544dfbd1ba8b32ad643eb6f1665f0a83068b4f77d784

Download Submit
C:\Windows\SysWOW64\Mccokj32.exe

Filesize
80KB

MD5
48ac8ca9ea28d3f4ee0d0772f78def25

SHA1
dc969ea06052bbe82547cc36d88369904db40d1e

SHA256
3d9345b0da2c5a3c6f678b2288e2ed75ecf5b146e1c060cc6d67c25e5dbc7429

SHA512
a3e6c7ad8643c667dff146bb7a11306b85cfcd802cd7a43ff4362a9f6578c4f1ac1e3ea4741da63bed9afc5da799b3bade9c05f8c2cc2d9fa7d2add42e633419

Download Submit
C:\Windows\SysWOW64\Mcoepkdo.exe

Filesize
80KB

MD5
741652530b4ccd0ceac02877cc023d53

SHA1
b795376c87d08b397182bb46c93230ed55cf0567

SHA256
26e764df6c9168a9241dbbb73b43222c4e9b5a596a72d9c66723a15566a0155c

SHA512
2521036c94ef60b496a5b0aa2885d937c591a719a759e56d192f38a04ad967a92676717cffdff51e35c2c56ac06cf1b59ee4cdc780447a9cc16c34c03067c2cf

Download Submit
C:\Windows\SysWOW64\Mebkge32.exe

Filesize
80KB

MD5
c2027f2cccb7302feb9a3fb2e2f914e2

SHA1
9b388a00375cd2d60cddeebdc3075f0e2ba7cd70

SHA256
51c70693dea65cf632321d26dd90c04366fd603267f6d3467dc2625414c9254a

SHA512
5221de1b071fcbc4fe662e74dd76fbfc6acf15d31fa33d26f8a48c0cf3614efa84769180a7e8c109907cf38cf3247955880f439f8d224a672c58fe65d6f7e196

Download Submit
C:\Windows\SysWOW64\Medglemj.exe

Filesize
80KB

MD5
ffeac78850bfd5bb58ab55456f52cb05

SHA1
023e999b1612fb901d63ad5dcb81d8bebfce7ba2

SHA256
04d4d0207ecd51c1a170a2c176ea653763043ece99dc8512eb5f097a562a53b9

SHA512
10a327bd97c7588cfcd946cb99902642c3cb42cb0428802c0abe42ae8d10438d508237195662da093f1d0ab40288aa1e1b0b857d35f47c28f56d43714cd4ac9c

Download Submit
C:\Windows\SysWOW64\Mekdffee.exe

Filesize
80KB

MD5
9f52c3253ad2922bcfa6fda49d04631f

SHA1
5e03c59225503dfb7560b0951a4d7d2713ccba3b

SHA256
b4c205e922168f8cb956425d412f63b3f648b33e0d78b8dbe233b29f58d12710

SHA512
d31590c9549b6e7aaf5eaf94ac3c41f44df82a39556fe08e1a2ce5566ba77bdc2d534c6b5ca37f566d7b80c61bbd164cd58c089ae7026849cb884d593e751df1

Download Submit
C:\Windows\SysWOW64\Memalfcb.exe

Filesize
80KB

MD5
52a81042619c107bc8131c83ce22415c

SHA1
af6cf78ba6667517b92efb006f60fe577d37be5d

SHA256
d9db9f73adbcbb6d707ed462f843ce80f5a256d04635bb7eb7ab4913e3415cc9

SHA512
5c55c199f951fc0470990f33a89e55a9f172d3d8f2e5ccd74f14971d87a52ebf97a90807e4e87c9dde6438e0627a98d5a74b224d47706d265cffad589fedb24b

Download Submit
C:\Windows\SysWOW64\Mhiabbdi.exe

Filesize
80KB

MD5
a2d1f6a0898dd812959eee20067f6a97

SHA1
081329effac4f8a77b665129fe71d5ff9ead9e60

SHA256
ef18b792262ab26bfd3002bfaa1be3219b12a9e1bc7a7a022b366bbe6bb15964

SHA512
d29a010f7eb82cca5b038e88f04ba79c14848480055c426ef5497403f4117a5f507c44bfbba04f9c90fae384cef7874bde63f12de0db6f22743d4e1330a3143c

Download Submit
C:\Windows\SysWOW64\Mhknhabf.exe

Filesize
80KB

MD5
6571a436d84f292e11fea673907a90d3

SHA1
cada8fc00b21f7a65fc55920146fc68b346b068d

SHA256
b73b20851492781deeb18f40bf22a29fa1cc26fd851339163ec8bdeef572875c

SHA512
86a4a39459c22ce048d404f7faca5f8f46799077a43dab2ce44a8909d0fd99faea085cbc5f529312be7176f7828c72b624f47b3b2fc94971c673b78164446393

Download Submit
C:\Windows\SysWOW64\Mhnjna32.exe

Filesize
80KB

MD5
8f773123cc632d70ef357eb803a4d1d0

SHA1
e073e843b0a32e36b9bf99c9371a0d2347d63303

SHA256
f5c6a9d1e41e690e6c864f7aa430ebb384ef65d05892e8afa11806147b0d9838

SHA512
c5e85ee5a4d434f218ff0c40165483ef3f4d8cb202f6305458b46a06caa2d0774873399d2e49ff7ead443bcb69c4d6cc5e884db063a059f58801a2cbf2a0bfc3

Download Submit
C:\Windows\SysWOW64\Mkocol32.exe

Filesize
80KB

MD5
178e4f28c80308fe0685ef627c9c800a

SHA1
b3492cfc2f43296e06615d5bf60746a885222c66

SHA256
76d3e1fd321862eae5616680e1eda49e324d23a0eb4b043c224b3bdb47cc0064

SHA512
172f7e0b45eb75730f148b6923966fcb2bdacf5ff7e7212fae67283a12a04e13a91e47015f11bd786ade6bae9402ff8b7d4b7e99573a513fee7cda1c03bf6b64

Download Submit
C:\Windows\SysWOW64\Nbbnbemf.exe

Filesize
80KB

MD5
70ee3cbf6e1ea81a44969070c2e7a547

SHA1
2418b8f86ed17d38b8d479b9e2be8f4e7a90fdf0

SHA256
ecb7d2f035e0edc3507a3a2faf78679ec75ad0a194c66a38cfeb38535ef5ce05

SHA512
cc1ce0c112610cd691912296bfc3c54a69d87fa3d02faf37ee68ef5eff2da0f0cdf34c3fadbf61aa77f11f9182aee1a5f64a343c43ecc58f1896eec34bc5e08f

Download Submit
C:\Windows\SysWOW64\Ncaklhdi.exe

Filesize
80KB

MD5
2a60ecbb2202b1fdc03f3cdaa4302015

SHA1
22a697ffe8d12fc3d77240265ae75c26234b170c

SHA256
82afcb67969c82bbce1db176dd787786ddf0b6e4ae8af8d6f7c6b99ab23ff195

SHA512
441a8bc3e501727cb17a9265c339d9f4ebe71e70fe8ef417da8e582aecf8e88d3007ce2d7475f42d83dd90566a6ea29926b3795c101fbdf0bef88c5e796f414b

Download Submit
C:\Windows\SysWOW64\Nchhfild.exe

Filesize
80KB

MD5
71509a8456c0a0181ff393809d5fefcd

SHA1
8b110f20013a2af42930cdeda931bd0f1a630b05

SHA256
376ad9b2c3b1af149dd960deaad3f43a1a65fa55d6cd7269b398e55c69f9327a

SHA512
9e6a6465533d239d80d341245ff15ca4e4b979750aadcd8cbb504d14f5cf619260597df168e2aa3e1a8ab0b82374479d505fed5235534208fc243f64456cdc76

Download Submit
C:\Windows\SysWOW64\Ncjdki32.exe

Filesize
80KB

MD5
7bee151e21d9dfd1219a4fd09f16922e

SHA1
d3a3b33a89547dbdd80db490fd459f08df6da6cb

SHA256
a2ffdfd4734331b4551dcd2910663098b7ea4a963a275a059e84d179c450d970

SHA512
9cbe932999e8e33c03916271b5ac8699a1c714a6115c9c458bfcf08e5518777243e49d6451a106b8ee9cab774486ac6e1bba2b33c14cfa6d937c056361f24f96

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
80KB

MD5
b2848f09a3253d45b175c354308cbee9

SHA1
4cfeae78d840947741199af4fad28856f6542294

SHA256
ffa742a60d6b4fffd7dd185ea8164bd97d345295ea36fc7b8ac3ad8d93ae2c0d

SHA512
6c238ae869cb01507cadb038a258aa9e2407939890b6e007c38887b6c845930a9d4e7836e670e438ba8c26aa1f3dc024f8fdfba966641cae46b6eb0ef6dc8e8e

Download Submit
C:\Windows\SysWOW64\Ndnnianm.exe

Filesize
80KB

MD5
9086b175004facb2f42ef072d762c2a9

SHA1
fc10d80e040d2d1b826c5eb47b70993070f189cd

SHA256
17119185dd203ee5f1cc87711fa1876594f48fb06f138a6d920c8918f07b2b8d

SHA512
1c611732d333db9d252f86807b3c16d62ec1a040c06b33de84f06c652151cd36862205e2d124a4448db112ff181b9e4b8cb8a3c62801784c52fdc2c1d630352e

Download Submit
C:\Windows\SysWOW64\Ndpjnq32.exe

Filesize
80KB

MD5
8993f9ac97271e0be851758b833b6a67

SHA1
1dc2e3fe357b2f8785d9bc2d7bdf12df15e8e701

SHA256
de770faca92466b9da9d71d49b844a62918cf473135e0b922c450b4177f19b0d

SHA512
8cae80aa317d2e87c05b08257ff6e01ee7bcde1a7fb7c4a70777fdca6513ef42e8d984c6513697ef092dc36b045ea629ae3ea2f2db80e4048b8375e8dbe2fb01

Download Submit
C:\Windows\SysWOW64\Nfpghccm.exe

Filesize
80KB

MD5
d62c8ab4de4599aa86a4faa01acca95a

SHA1
e31ca1f5f50554247bc901102ee72a8b0b0502a7

SHA256
717b6c8ad01fb33dc9309cc42e4d6296a8df7dcd6120b7ddf1c117840750df2a

SHA512
0360aa800de4160e1d32f136249d764491f1209c07ca1cd66f847a82579b5f1889aad1e7d34269276d3506423e5247217358a062f14f837eed14445e8912a623

Download Submit
C:\Windows\SysWOW64\Nhbciqln.exe

Filesize
80KB

MD5
40f254bbb7bfc26531aff756f475743d

SHA1
aad79e3e998ba56a39ec4fb191d94bc14703d707

SHA256
e3d03ce0d5131191130cf0160122d62adb36a1308c9e1e8d6212df7f113921c7

SHA512
b412a23e4089705c41c113c7d59f63cc38a27ad78d4a43d45103ef4f602c1b586fd50d3336f16130789b976417b1e85a047a5cd4362192fa6763690ca98b2b08

Download Submit
C:\Windows\SysWOW64\Nhjjip32.exe

Filesize
80KB

MD5
3a3cfc72e1edbcb8d4b5ce5fb7dfcd56

SHA1
7614b503ab760d9d225f8453f103ded0941ebad1

SHA256
d079d601d6139ab7e1674cea800e47bcdaad0c91c4230d5321a31c3d810f0ed6

SHA512
5bb7d470ad967c856a905fe380702d3b30e5d626503eb2f064fd2b9a6828d2b7c4a28ed2d48a8ab208b845c719053d4493148c74570b9f0031985ee74d67f7c4

Download Submit
C:\Windows\SysWOW64\Nkcmjlio.exe

Filesize
80KB

MD5
7f4bd5c06e6aa2ad36f27df990801f40

SHA1
b0c5da108e7bed6b831153a9a5bf08d769e6ec3f

SHA256
dcc62729a2c6ad78d06f3da476b2bc6e0f2aa1a00c04da059e9b460017f2d1dc

SHA512
ee3acceb8ff85af4ba662fddc052779fe1519e565897a2d344ea971cd0fde9d21a00dcca68494b7a6e6d492e29cd568dbfa6648840d5013ca2a67c7bc44d4e2b

Download Submit
C:\Windows\SysWOW64\Nkhfek32.exe

Filesize
80KB

MD5
aa07d1f77d7adf9339df5871fedb604d

SHA1
7a33aa67c0b509cfd7060b56f03dd4a4093025d8

SHA256
ca44baeb3b3bd71d865f14cc642eb727f852fc6f218f853c97f2ac5fbde3423c

SHA512
916ebd590105a63e8fa2b44fe1f8f44132404a9da4f3bc40fb8684d9aea9d5686bb95a12bd28e797fbffa3483b91ef61a79474abbbbd4ebd3d5d57b273c3ee5f

Download Submit
C:\Windows\SysWOW64\Nkjckkcg.exe

Filesize
80KB

MD5
1eb1d89c6898c3beb5c1a595df3af8a8

SHA1
4b8c5b33936afb4ae6b34b0ba5c9941e3465d907

SHA256
e4dcf0760445511f7278ca2217d661e4a16b05bc63ff6b2c883dffc009790ec4

SHA512
1d53e30dc52427dae724684ad51187393a29f56413af139229b64c95991c6e86cc90262831476d7223da7549de6da43a6e865a8915d7dd8828f9b5dde12104e8

Download Submit
C:\Windows\SysWOW64\Nlcidopb.exe

Filesize
80KB

MD5
ec85a4b8b12417baf53578eb81c375ba

SHA1
6c9f80939d8143f24781a6b60def88a6aae66232

SHA256
bbfe8243c6bf73bc4495de15074eab2a13c8efb60c4b08c1cd153fb5017f6e1d

SHA512
c1bf561a7a06614e3ea030231dda56bb82d314f3c92ee8ef82608750000875818d824a7abcc88c45fc28f630a5a15c57d366be31f8a41f6a0d0909d381b27206

Download Submit
C:\Windows\SysWOW64\Nocbfjmc.exe

Filesize
80KB

MD5
ac45d9fcb7385d52c7bad54e49c65c17

SHA1
ffaea52dd727676a94b77e3ba5cc928b82ade144

SHA256
526156f978177130de8efddd54df1520fad8ffd71b7672f75f1fe1596aad8e28

SHA512
8b4f1aaf660a6153f2929a3eb6b1d024b1ad8975d3bdcb426c785b76980d2139436db039c33dca837bdf14181de4de55c9de6ca91966e3f17df0733534593fa9

Download Submit
C:\Windows\SysWOW64\Nofoki32.exe

Filesize
80KB

MD5
6a53f0958fc6cf30f4b99169fc76c78c

SHA1
feee6f66fec97cb0e71ab980fba8511e4ef57784

SHA256
f9e0076928b394ac3c49561f08290f06a73674737725a3211c865da6e4497a3c

SHA512
351685aafe64aea36d1c45502a2cffb87136a62ed5d906c43d37e8aa3b2120e02f4eeb0138c21d5f15faa68f50af73ec340061a3c554da03947ae8afa9165755

Download Submit
C:\Windows\SysWOW64\Ocdgahag.exe

Filesize
80KB

MD5
7f13abad79f63d8086b3d0594baf5adc

SHA1
58fca1da1679111ce0d32482f2dfb518102e66b5

SHA256
b931c4e5ca82306e30272bf13dee7955f1303ea2838ebf006a330c2a3ce4a067

SHA512
b11aac74adcf85b3e5163036a1567e82f2db53590e42323a8398e27e10576ab77822b4c65b75228a616eb3364895bb7c14e6d039911d18160427ae51ea9c9842

Download Submit
C:\Windows\SysWOW64\Odedipge.exe

Filesize
80KB

MD5
c6def7fbeb0493827b75489c6920ee33

SHA1
13bf4396633b1bc900868f649dcced97fe03f95d

SHA256
0ce9da886e3dbf02124cd718019fd6a17701f95a022bd49337239eed03f264ab

SHA512
6d70bb234930105f755e4d86502094bebcf29a703c8adba36ac4f03c9c97d1478919bfc61dd7f4aedcc7057888e1229ef607c3c2e65135ef84c0ead876d3fcb5

Download Submit
C:\Windows\SysWOW64\Ofbdncaj.exe

Filesize
80KB

MD5
59927defc6f3d2392725e1945da54c08

SHA1
f8ed665d8391e67ae9567ed5e18348170995b6d2

SHA256
3c4cd66aa85ebddeff58ccc5049ebfd84fbdeecfd5f3e0e6a3a9dbff7ca4a3db

SHA512
a63655e9018296cb98bb83f5dffcd1ddfea1340b7057798123876efcaabcc414619f606dd647ee83eb6f7594963c3d44ca965d5107fc6c5ff81f7176eded9f18

Download Submit
C:\Windows\SysWOW64\Ohncdobq.exe

Filesize
80KB

MD5
a4ba62ba2c9f7d9508e7f0a4fe336617

SHA1
7d928a3214a0e2e965675052ee645c73b8e73bc0

SHA256
3352793f2dcf88aa6d80028be03637f9dae9959a8b2cbed5046478c343d48499

SHA512
e8f224603245ec2953b6dcb6021b8f3dd211307744d24f423dfb23a7ae5963e936fc2e6a9316131ae0303228f8c1be707351b7e4de02a15e7e387f0ec965eb42

Download Submit
C:\Windows\SysWOW64\Okmpqjad.exe

Filesize
80KB

MD5
86353bc7f4b89d8348bc0816bd2d7424

SHA1
2187bfca1592472ad6a5190e634e4b0ebfef2abf

SHA256
0fc0b83ff7deea9115a18e91f89758be8e0a246573e9b39cf5d45691f14a2cdf

SHA512
f911bd0362d7321dc4467b4780b34b5a07029e59307924211ea5fc2c4d88d932fabec6e0ab4f6382fddf1271aead239df6329f4383f313b33fa3fc529f05bd8a

Download Submit
C:\Windows\SysWOW64\Oljoen32.exe

Filesize
80KB

MD5
89fbab694b9db9b105a9f3c574095607

SHA1
783f6b403197bd3519fae3b4637eec6da5fc891a

SHA256
104001ff64539eded32e504c2c9d429a4fa5629d1352efa544ed348b515b652d

SHA512
65f077606de364d5877ba052cbba234a998f73ed183c6744014e37ad8b08a47b8ef8ec1721bf741ffc65c026ef07c47ad0157a1dd62ed1a64178ef83c94e0973

Download Submit
C:\Windows\SysWOW64\Pcpgmf32.exe

Filesize
80KB

MD5
0b106dd28eb93eb0c35a3355e1a3cdd4

SHA1
3c2f872fd43a3ae573c97cee53ed8c7c5f18c97f

SHA256
e8e341d8052df8599ceb9f6702f97bc7957ae4c26511576590b19f8734e598bd

SHA512
7789b9675c2a07e96cd00a768b127b5ff817b472a5876af7cbab5f3d4a9f938de9d881ca10d985c6dd92ce0a5e2b6f5087193270c028864b9bde570995e4e313

Download Submit
C:\Windows\SysWOW64\Qkdohg32.exe

Filesize
80KB

MD5
fb119c9a238f790da6f429f2558962f5

SHA1
4b3bda0378928e6fd2bac58196172ffa3488b208

SHA256
8066e9b54610aafe387347988fafdc58ba370a01d102015d277488e8226e9d4f

SHA512
147b1ab6cb6dcb6ce006a8154228c06c743a0226b40f186af0a65dc043cfe6b8a51856248affe57dfc158cfb939c3ad27351ae1b17bbe455d4f52f06f3c02a7e

Download Submit
memory/64-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/404-245-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/404-154-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/464-149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/648-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/648-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/756-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/756-12-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/868-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/868-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/876-447-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/964-446-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/964-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1064-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1172-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1172-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1268-407-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1268-474-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-202-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1692-468-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1728-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1728-210-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1784-426-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1784-494-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1960-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2008-186-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2020-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2116-439-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2116-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2128-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-345-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2328-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2400-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2500-238-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2540-453-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2540-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-401-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2680-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2692-254-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2748-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2772-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2784-423-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3120-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3120-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3160-351-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3184-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3332-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3332-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3372-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3456-130-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3456-219-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3672-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3688-432-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3688-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3712-433-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3716-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3716-228-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3916-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4044-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4044-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4064-440-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4132-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4160-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4160-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4184-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4224-211-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4304-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4304-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4420-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4420-481-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4460-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4460-190-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4680-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4700-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4776-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4776-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4800-357-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5000-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5028-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5056-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5128-475-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5188-482-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5236-492-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads