eb066406d73fe794f9f4456a869cd3838db52c67f65eb0c6e2d2aabd4fb41c94

Analysis

max time kernel
103s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cfcf3618920e06cc02ec61b8b7429c0N.exe
Size

64KB
MD5

7cfcf3618920e06cc02ec61b8b7429c0
SHA1

977e0e68f70402ac097c008993e085a8b2118ba8
SHA256

eb066406d73fe794f9f4456a869cd3838db52c67f65eb0c6e2d2aabd4fb41c94
SHA512

1469126745e8b9d19d8d88d0386a8055c5bde6c89e9e1db58d28c33536169f4fb5a8f7f84352405be9917f5710cbbcf4e96aea6c3ba977eb0c6d59173c9cef91
SSDEEP

1536:paBvRPM02TCxSlS7/fHQyufBAyCbRevlbDYE8Rm0Z:paBWS7/fbufB1vlfY/m0Z

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7cfcf3618920e06cc02ec61b8b7429c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe

Executes dropped EXE 64 IoCs

pid	Process
3240	Miifeq32.exe
2836	Npcoakfp.exe
1876	Ncbknfed.exe
736	Nilcjp32.exe
4004	Ndaggimg.exe
844	Ngpccdlj.exe
1348	Njnpppkn.exe
3468	Nphhmj32.exe
3744	Ncfdie32.exe
3916	Neeqea32.exe
1852	Nloiakho.exe
4760	Ndfqbhia.exe
1376	Nfgmjqop.exe
720	Njciko32.exe
4188	Nlaegk32.exe
3848	Nckndeni.exe
1776	Nfjjppmm.exe
2528	Njefqo32.exe
2804	Oponmilc.exe
2988	Ocnjidkf.exe
4392	Ojgbfocc.exe
2844	Olfobjbg.exe
2916	Opakbi32.exe
928	Ofnckp32.exe
4592	Ojjolnaq.exe
3564	Olhlhjpd.exe
4800	Ocbddc32.exe
3688	Ognpebpj.exe
4748	Ojllan32.exe
4340	Onhhamgg.exe
2088	Oqfdnhfk.exe
4056	Odapnf32.exe
2224	Ofcmfodb.exe
880	Ojoign32.exe
3244	Onjegled.exe
5048	Oqhacgdh.exe
2012	Ogbipa32.exe
2664	Ofeilobp.exe
2968	Pmoahijl.exe
4552	Pdfjifjo.exe
4368	Pgefeajb.exe
1920	Pnonbk32.exe
548	Pqmjog32.exe
4560	Pggbkagp.exe
4556	Pjeoglgc.exe
2812	Pmdkch32.exe
4596	Pdkcde32.exe
1268	Pgioqq32.exe
4948	Pjhlml32.exe
3696	Pqbdjfln.exe
2592	Pcppfaka.exe
2764	Pfolbmje.exe
400	Pnfdcjkg.exe
976	Pqdqof32.exe
2308	Pcbmka32.exe
4492	Pgnilpah.exe
748	Pjmehkqk.exe
3412	Qqfmde32.exe
3956	Qceiaa32.exe
3100	Qfcfml32.exe
2272	Qnjnnj32.exe
2444	Qmmnjfnl.exe
1428	Qcgffqei.exe
2476	Ajanck32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Miifeq32.exe	7cfcf3618920e06cc02ec61b8b7429c0N.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Opakbi32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Hlfofiig.dll	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5436	5580	WerFault.exe	223

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cfcf3618920e06cc02ec61b8b7429c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miifeq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 3240	732	7cfcf3618920e06cc02ec61b8b7429c0N.exe	84
PID 732 wrote to memory of 3240	732	7cfcf3618920e06cc02ec61b8b7429c0N.exe	84
PID 732 wrote to memory of 3240	732	7cfcf3618920e06cc02ec61b8b7429c0N.exe	84
PID 3240 wrote to memory of 2836	3240	Miifeq32.exe	85
PID 3240 wrote to memory of 2836	3240	Miifeq32.exe	85
PID 3240 wrote to memory of 2836	3240	Miifeq32.exe	85
PID 2836 wrote to memory of 1876	2836	Npcoakfp.exe	86
PID 2836 wrote to memory of 1876	2836	Npcoakfp.exe	86
PID 2836 wrote to memory of 1876	2836	Npcoakfp.exe	86
PID 1876 wrote to memory of 736	1876	Ncbknfed.exe	87
PID 1876 wrote to memory of 736	1876	Ncbknfed.exe	87
PID 1876 wrote to memory of 736	1876	Ncbknfed.exe	87
PID 736 wrote to memory of 4004	736	Nilcjp32.exe	88
PID 736 wrote to memory of 4004	736	Nilcjp32.exe	88
PID 736 wrote to memory of 4004	736	Nilcjp32.exe	88
PID 4004 wrote to memory of 844	4004	Ndaggimg.exe	89
PID 4004 wrote to memory of 844	4004	Ndaggimg.exe	89
PID 4004 wrote to memory of 844	4004	Ndaggimg.exe	89
PID 844 wrote to memory of 1348	844	Ngpccdlj.exe	90
PID 844 wrote to memory of 1348	844	Ngpccdlj.exe	90
PID 844 wrote to memory of 1348	844	Ngpccdlj.exe	90
PID 1348 wrote to memory of 3468	1348	Njnpppkn.exe	91
PID 1348 wrote to memory of 3468	1348	Njnpppkn.exe	91
PID 1348 wrote to memory of 3468	1348	Njnpppkn.exe	91
PID 3468 wrote to memory of 3744	3468	Nphhmj32.exe	92
PID 3468 wrote to memory of 3744	3468	Nphhmj32.exe	92
PID 3468 wrote to memory of 3744	3468	Nphhmj32.exe	92
PID 3744 wrote to memory of 3916	3744	Ncfdie32.exe	93
PID 3744 wrote to memory of 3916	3744	Ncfdie32.exe	93
PID 3744 wrote to memory of 3916	3744	Ncfdie32.exe	93
PID 3916 wrote to memory of 1852	3916	Neeqea32.exe	94
PID 3916 wrote to memory of 1852	3916	Neeqea32.exe	94
PID 3916 wrote to memory of 1852	3916	Neeqea32.exe	94
PID 1852 wrote to memory of 4760	1852	Nloiakho.exe	95
PID 1852 wrote to memory of 4760	1852	Nloiakho.exe	95
PID 1852 wrote to memory of 4760	1852	Nloiakho.exe	95
PID 4760 wrote to memory of 1376	4760	Ndfqbhia.exe	96
PID 4760 wrote to memory of 1376	4760	Ndfqbhia.exe	96
PID 4760 wrote to memory of 1376	4760	Ndfqbhia.exe	96
PID 1376 wrote to memory of 720	1376	Nfgmjqop.exe	97
PID 1376 wrote to memory of 720	1376	Nfgmjqop.exe	97
PID 1376 wrote to memory of 720	1376	Nfgmjqop.exe	97
PID 720 wrote to memory of 4188	720	Njciko32.exe	98
PID 720 wrote to memory of 4188	720	Njciko32.exe	98
PID 720 wrote to memory of 4188	720	Njciko32.exe	98
PID 4188 wrote to memory of 3848	4188	Nlaegk32.exe	100
PID 4188 wrote to memory of 3848	4188	Nlaegk32.exe	100
PID 4188 wrote to memory of 3848	4188	Nlaegk32.exe	100
PID 3848 wrote to memory of 1776	3848	Nckndeni.exe	101
PID 3848 wrote to memory of 1776	3848	Nckndeni.exe	101
PID 3848 wrote to memory of 1776	3848	Nckndeni.exe	101
PID 1776 wrote to memory of 2528	1776	Nfjjppmm.exe	102
PID 1776 wrote to memory of 2528	1776	Nfjjppmm.exe	102
PID 1776 wrote to memory of 2528	1776	Nfjjppmm.exe	102
PID 2528 wrote to memory of 2804	2528	Njefqo32.exe	103
PID 2528 wrote to memory of 2804	2528	Njefqo32.exe	103
PID 2528 wrote to memory of 2804	2528	Njefqo32.exe	103
PID 2804 wrote to memory of 2988	2804	Oponmilc.exe	104
PID 2804 wrote to memory of 2988	2804	Oponmilc.exe	104
PID 2804 wrote to memory of 2988	2804	Oponmilc.exe	104
PID 2988 wrote to memory of 4392	2988	Ocnjidkf.exe	105
PID 2988 wrote to memory of 4392	2988	Ocnjidkf.exe	105
PID 2988 wrote to memory of 4392	2988	Ocnjidkf.exe	105
PID 4392 wrote to memory of 2844	4392	Ojgbfocc.exe	106

C:\Users\Admin\AppData\Local\Temp\7cfcf3618920e06cc02ec61b8b7429c0N.exe
"C:\Users\Admin\AppData\Local\Temp\7cfcf3618920e06cc02ec61b8b7429c0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:732
- C:\Windows\SysWOW64\Miifeq32.exe
  C:\Windows\system32\Miifeq32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\SysWOW64\Npcoakfp.exe
    C:\Windows\system32\Npcoakfp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\Ncbknfed.exe
      C:\Windows\system32\Ncbknfed.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1876
    - - C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:736
      - C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        36⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        63⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        69⤵
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4860
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        75⤵
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        81⤵
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        82⤵
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:512
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        86⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        87⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        89⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        91⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        97⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        99⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        103⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4404
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5640
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        120⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        127⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        134⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        136⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 404
        137⤵
        Program crash
        
        PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5580 -ip 5580
1⤵
PID:6140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beglgani.exe

Filesize
64KB

MD5
a023b0c39cb13cf11f0747c6ad0299bc

SHA1
e03554522fa8b4620d40ac222a3f4bee5d154c2b

SHA256
4f543b3e9417f8c048dc8204384ee7cd7c6a0682e4ec237de099475c96bef44c

SHA512
52a4f212d592783091d3737edb203f01460577a978140b163c3fcc9ca6ff49bf2d76e00e1d3a42b42855ac97c152edcb1d515e138a8158ec19e7b8a553e2525c

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
64KB

MD5
b2c49e28df5b702c409c39ae4f5daf9c

SHA1
076312d128b9e3c4179497aeb75a17f5ead92f4f

SHA256
f044a106666b6de6f9539826f6b97829da2e14e25576e53983247693735a051a

SHA512
7db7c98020c286d3c6b3775e55f8c0d4647ef6bde10e74b3e7274b1f323586bae1544c1ddf825f180c34b43be2959e45275ed725f2fbb5563b2a5dd7c863b3d2

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
64KB

MD5
21504de96e2f11988c24239912004a3e

SHA1
25985bbd11db30c3e52f51991ab7e0247beece49

SHA256
ee8b26ae20f856c998b0a8c9f34ec0edd4df183b5c19cef6450b3a5b72227385

SHA512
30ac55f495a2141d7ff8dcbd26608814eeee886d58dd356cfed0431930019ff4d9da884bd3fc3d54bd8e0fe2cc89069147c9cb1406d367bca6eb2d940dc8e12a

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
64KB

MD5
9dd9653a15e54778514335cb4b89f287

SHA1
b9c315e475d8f7d0916884b84015d02fe5f462a7

SHA256
0795c93ea3b797a056f035ec450710a85dbb52225891171dcd1e26a3f6edcb52

SHA512
c03ba5ca586b372eb1c6ad388cb5bfed8aef0fe989c2c4979d2bf037740ac4fed98055e89350164015d0ead421cf9d8c371710c0542901b331014317d63f3f57

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
64KB

MD5
4d226f61516ed3ea6c0fb8887565996e

SHA1
9459c8f6b865e3d27ff60787b077ef40d4cdfca6

SHA256
3fc5f98b351d67985167ffc6df640c9406c10cc8abb391261064598b05c7e6e1

SHA512
16b208eb49d5326c77976d92f9a6ec020d707f8f65560f635f7464792e2e31ac48f24f73c3d61ed0df3fc5392b0f74c9db98de1191b41f290a09d0b783820d29

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
64KB

MD5
e039c1c2f7dd785f4d9de43d21ed20e9

SHA1
202cf88e9b3a8632e40b65467e83e31a94906c82

SHA256
32216ba222ec4df33946ed5a9350718a351e1e4078adfef4fe920b9ceb55647b

SHA512
3d6fe240e87bc616295d5fa002bc160b92f6fcf69b7c6973e03d80e400cfe0e0927ae705a871cd2e46f6d5740dcf1bb1b6253ea21829a05d86f8bbd95095d40b

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
64KB

MD5
afec22f46ee40d354255b828bcab3629

SHA1
96de1c7254489d03bd21be237baf72ee626f22f4

SHA256
ffb90c9fcdf7f726130df33ea9c1d6014b0e93a37cbe699c0df085f5973c5324

SHA512
911c4c84bbcdc00456910bd62afe5a4c42e602c25b9321f58174f1c89bd8f9080d856fac450183f5c5677018e17012b14da736340acd22cbf840f68d8544ab7c

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
64KB

MD5
5b05cdda0259df55c865bc95a7e04b9c

SHA1
ef36318c4846d8e5b6d9c099980c0ee25cba5898

SHA256
ebd60bb9f2391c5c696c8ee6bf04ae33c64241d724a419af29f7866c9625b7d2

SHA512
50eb817437b2cc44837d16ed27476b774b7723651be8c7f0c3bd001b981310a9453a30d2aca907bbb5344eafead5d4493ac19474f4e0b875458ac02ece2f4b06

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
64KB

MD5
57822a4cc8cbea797af9004cb402366c

SHA1
dfc2b14d8b0dd4036479c6d47efe7fc676da8001

SHA256
628454321b16641a596b968b29f64e51346d95d171b47383ca1a39356c12da9c

SHA512
76e66a169f2a88f37c3ca11620b30cc8636cb90488bbb187ee931ae05ac0fb8413c63ef3ed8144fee6f13d5a19f143b4ffc8134114f5c34143a1fdc2eec60aee

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
64KB

MD5
c417de1e148b113e69253857f245ed8e

SHA1
5a10a7cdb9828755b6ed2ccfcb711f1dad02dae1

SHA256
ce5802f10ee00d92441458c1fe944e97f8857d135d33f93b34030d9ad7126014

SHA512
2303f518a43de890b1cc442098dccb6032de1a1a43dfe653791e65dcb8981194c51d3847957f5c8bfad641abaae40639b680c7f0df4ddb6304dcf553e768b221

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
64KB

MD5
884e117e21c1311b99dbfb4a4215096f

SHA1
ecfc270c716a53c4eec86774e4b2ce90ccc87e18

SHA256
1fff2b940c1e4b2d2bade11aceef666698571181517d483ab1770deb0a9d0323

SHA512
059105b6b120258c9a00a954e98a1e02e576bbd23b2941018fc8a77a48ee0ec507a0189cb26ef28c7dc361f90f7206cb5b884e423a61ff5005d351dfeb587912

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
64KB

MD5
a124fe5fe3678ad9153497d5652bebce

SHA1
706ec8b7fdc9df433d436f201ecb8d448dd578b0

SHA256
a18a25a64ce8e67a74e2b5242a0af5588287343e14104552ed01f065209f90dc

SHA512
633b82e55efeb95d3c43dc5a43344c8a95c29da75f8bac730d969b749063783c43ab211d6c4518087253fa3eea84c24070099cdb016b6c07bbce3b279a55b429

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
64KB

MD5
03e6237f2d50a402857b77a73572effc

SHA1
c59a7104caec2cf7c51a6c209793c3500cce645f

SHA256
e8a13c7ac03adae63047f4d7e4929e8434ce347a37897bcce03879f0eaeb4514

SHA512
3227a3e8db0c58a43062917e02d057e6fc8a7665a60c4a53c5fe1faad53891f53cfed73548b2fd90280627d9e96cc9fe92c4d211343234ce209230406c55de0a

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
64KB

MD5
9295fd65fb9086e66ab9091689cd5d28

SHA1
faa56fa77d16d565b91bc80b7c741ba0283790a6

SHA256
b42a7e81539566096e55b5132badbd28432bede0435675d248d1e0f96b2ce3d3

SHA512
0cd314830f839ffc0f83fad82094eb89cace11016d148d9492373e43b73c22e1f50637675ffee39752cfbbe652ffa9d0387c17e0272879ce114f9c1966bf8858

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
64KB

MD5
6bfe9cb5761e018c4da067cfd9536fe6

SHA1
ec6ed5e6f903ab0a4bd3afebe32eb610bffd9341

SHA256
7a2438e42f5be62c7675c02862f6c3f5a71d5320bbb11009de5daf1307fe38e9

SHA512
586e911a5c585d573cd62a1475a6fbdfebe60af682258d33e78ee7177c46110bd6351074190fdff0a45acb5035f568ebda9101c13e56b9c807fc726ed49e0aeb

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
64KB

MD5
dec33296261f03886e8d15bfecd61f0d

SHA1
ee22a4874704219edb91cef2e7e01f860bfda848

SHA256
867fb4e2a208f6cd59a13552dd696b35de7f63335f2e4d3e5c257515404caa3f

SHA512
76768b5b84b9f7fc0f7f012d4b319eb4e63d346f5d6128719e3d01fc8013abb6c25a64311283614cb6fb47e737693d79091e2e00510ca91bc08008a0f6b69ad4

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
64KB

MD5
094a50b2a11e6318ad4f66bfece64358

SHA1
c6fd12eed1f8290d2d441278609af94612f72d60

SHA256
fa03a1de909480e797d9cd948b4706aabea03d947c452ec793e199e426517ed2

SHA512
b9d9939c17bb0c7c2f1d7a7b05a71e8c439ee2e149acbc4cfa1637618f07f99692628a97d68dfc55f2d797cc6df24717ecbfa2abfa28238c181f97bcd1ea51bd

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
64KB

MD5
6dbbf0a0ed02bfddd96cf134074cede3

SHA1
fe9d0d2bc2c95aa64c7fc8b6d782ebf9717b66b7

SHA256
75401f4a77b435095cd7721609c5d2bfbc07e09f9ffb3b0b57bcffe97473ee14

SHA512
2bcc3bd9754d6288a7e968f6ff99e837fb7c60413852550a8301972c87182c81ce540aea9ee8aeb292bd9fffcd68d2adea79f6bab5c2f83457fa0b06bf7cde86

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
64KB

MD5
2e91f01fd0578e553d914ba7b757ed89

SHA1
9d2df23138ead583caa497aaf3f82e2f288189ae

SHA256
ee153b4f12d337c6623ac4809db8007a0ae989a80baf005e58960dc7a1010c44

SHA512
6aa1b49f3f0dfecd200fc92f95e6872982f77132f854a19148aeef8e8f20082d4b3928be45b9458616257abbcc5c9dc193750d502bd83369e13b6b214844280d

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
64KB

MD5
0dbbc9966b465130efc46372afc4ea70

SHA1
9be07202083475f50e367919f0cc268eb3eed7a8

SHA256
fd96737efa05118324390f6834668f64bde4136d430523f13000c97117849c16

SHA512
a3e984bb65e1c44f1fdd883516538a27747b6116c41528d40c96bfe99799b5673fc09f0fb6540fa66137bc9343e12343123daa261e828802678ed92d9dafea71

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
64KB

MD5
e6c7e597d2078be80d22622c362666b4

SHA1
c826af3c8d364fdd3f5ad4a0887c73bb2889c8e9

SHA256
01d66e52a85d63f59ecf585b6245daf3665ab79096696ff6a1f66be9958391e0

SHA512
2a4e91300d5373a8cf2638f5ff54e330662fa97e9e2a2bc8f8564aa997eee1ac2cb638c7c8d7dd8415c513d8c806cf2cc0abb4f3f1e081582070a1009b0a20db

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
64KB

MD5
6477a929dca00d841b88ccb6f7e17e19

SHA1
70e8e620b158d6dd1afbf4295bb59538c6d5cc22

SHA256
ba84143724d40c13eeb7c5d749e3f15cd292fc527443761fa8c0c31894a57873

SHA512
59498678f8ff89c3e9e222499dd8ebc2183b5484bff97634e03706494b890a02d3375242cb351c3f7b42d445c75cae3edc66b0ffe69a1f1468ffccf1d21c0568

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
64KB

MD5
d605b1f4609805674440d84a102e95e3

SHA1
c09bc27757113b00d4552fd22f47f71d4d2e8094

SHA256
e75016678bb11e1c72b9dd3b09a96452d0f8baaed640f954a23dae26e36e6198

SHA512
3fcc8325403a40ad278e5a366bfdc49fb15409cddb4885342bb601ad7834ea24d6b30a5a36dcca859531a1075a84954b759c034fbde8fd5b4acd7f1110bbc0cc

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
64KB

MD5
d2b6787274080046f617dd1dec2d67c4

SHA1
64502d9ce97fe7590f2e386d65b3586339e9cf1d

SHA256
3b7bfd9775962867f16efbc7933785dbd992e4b3757e123ba801613fc48f4a47

SHA512
096317ec2bf72c17db8765b7be53ccdd52644aef13f7cac6e19d9ce7620938445abb9e91c379ac43dac404017fd7b450bc15748be466baf796387833cef92f79

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
64KB

MD5
e519bb3839c0543fc5716486955d5956

SHA1
1b4f4bb8f6140eb65f2dc501978ca7277cae5336

SHA256
d7de440fc087df88cd6fb7c150ac44f06d5d2326734e38eab17d1ec84d7a5c2f

SHA512
5d362f6a8cdb9404bcd80cfaddae4ae0af2f2bcc3a287fa5a85a528121a3afdb3981bcff989cc42d46421cd3b02ea35c767257cfda58b022f566efd6601df675

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
64KB

MD5
219adfa2541f38aba3fe6bc0b014424f

SHA1
f470fca11c537e764bf4d6ee535dad0a7126423c

SHA256
7d396e86b8a8f35c6ae3cf387fe5d9723179c5124496ed4f2fff88eaeea7f49d

SHA512
77182a6d606ac926aa7683811d54645839e45a569d32041e6ac168fa3eef541e49992303c01525e30972dcf00913532b6195fde7e44e264c9f6f3b3aaac0e327

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
64KB

MD5
43fdc3b1ea60ba2c007f7aa51c92225e

SHA1
63e2e1ab185b63209523c356740b7180c9e65909

SHA256
c6a6c12c193171f1deb8882c9338979e6bb124d57462751f8e95d309ad4dc7e8

SHA512
c012743841372cce049d1f02948d5316a2111be44542f2a4fedc09f0f0fff6519e18f80d639bbc540247fa8982e15cd5c713d83dfdee902d140be5420e02f742

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
64KB

MD5
1ed52d200bf46f3622908da394b24bf5

SHA1
af0e5998f92155d43a2b932cb44cafbc1b23166c

SHA256
b73f8d6920b4d150657348d66efb414836f89d3d534badca96ac9842ef313fa6

SHA512
12ab7e02d0735d809344b2a8102d0477f3e2d206f8cf51edd0f03d66f38c624026d19cd5f5071613581b4a3ac89545fc98ac064828eccc8a00a09741d71af2cb

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
64KB

MD5
3e9723062cb4373e84d5a3bc66633319

SHA1
88b71deae5f3090fdc88073596cf6e598c0c88fe

SHA256
91a941328f08ea5c63dd827a95aabdc41b0aca9a15e03f6c71266fa97697c56e

SHA512
791ef994933bc98f0a6829c0df789c8ad3f1e06607d251e0e55493fb61164c337964169307d66c268f0337dcd4739a8fb3b3caacc36b9afde1f2170889715e62

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
64KB

MD5
ec11881920e52f6c6225050444361e86

SHA1
1def47650b9d4cdd4edf24e7546e6f8d51976fbf

SHA256
2aac79a6f1861764485184e221780e799616ce417a857735fe959c53f0c630c0

SHA512
4873bd5dcd2598c19c10ada09778962977d1088346531ee858b2dad43fb46753899077e91b96e482ecdd3c8af3e7d96c495f9e0ccd54bb54ad92277c599a809d

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
64KB

MD5
32e6a422f79a613ea6cfc2515bde62c0

SHA1
efda0b865117325bd566a1955fd1263acd690bfd

SHA256
958950632f3de8a95d1af79c6c5e016bd485d953a303bc8e929fd744da56c3c2

SHA512
5b8e49c5cd80072bf49bfdd9806ebf3e202a72b6d34312e1ffb1239faabcd3306ed1a2f31f49d93a5da36d3680736649e72ebb3135fe4dca3fdf703efa02428b

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
64KB

MD5
960129da94e0618e83e6825c0cd0b3eb

SHA1
46a9cb499a9422c00eb2409a00d2cb3f9e2db860

SHA256
44b9baecd0473e7918b2a660accb10d17268bebd7bb02e2f5d1b1c60644bb04e

SHA512
33b5839acc734b8bb9ec197858e406c293e8a2aa82c735c1152eff72466eed7b678c6f431adc2a37bc971b37cbbed3dc4404e0a60b7df045ef84128354d95ac7

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
64KB

MD5
e95fc697b8b17972b9d3f53adcb55d9b

SHA1
240d830a0677112f1f77fe4d886c5fed548c2486

SHA256
93df076ff7fef18f16069b52374257174711e97c152c1720e8cc2f127e72763c

SHA512
4d9ff3a2257fb45f7d4c9c7a0bb699b7486f17448342938640be37d717dba2b4f7fd027fb8b2ed1c6ab4f68605891c72d0fb4d3db096354de049c99a598b9e5b

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
64KB

MD5
fea55764ee4a1933660c1226e9f67b8c

SHA1
0c3eb30c8dad6fd358fa0ed3d98dfab6682c7e62

SHA256
494abf9ab1619b8ec87c6e9c5e46eb78d3e35cdcd20b2564be60ce436bb9b123

SHA512
a284039195d5ac3cf82d526a023394e3da7cba7a2383e2e90603633a12b20f566647015356a1e4b16e7b2ecc7f75294e0183a264fb104d44d37b7b19d1926781

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
64KB

MD5
3de7878b8b89e94db0bce23f9b13d7fb

SHA1
1c45cd71ad75a93e19058c851f7bb88807549e76

SHA256
6eeaa232b2ff424440d2963600ffac026a11f91737fd2c761c9093e84e765841

SHA512
0831b0c85c2eb94fe770ce3a52a50dbadbec08a04372cc1ef299c3f20bf64dcad9bb05885adf489e87eb9b9cac50307642ae31ef766ded8e87d02fba43f801bd

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
64KB

MD5
dfcf13d4cc354da49006d549eaf41eb4

SHA1
d8d0f4ab7c70092e26f696f98c590be1a785594f

SHA256
d9d72e916d8e96b04be0399b1a1da0958d9bdedcce6958bc556dd8f0c2aec6cd

SHA512
6575c85b84aaf80b82b1a6d5137e6b2b70392a5646c015ef3357248e71f1c6f9eb511343991574b338befe03bd5828602dc413925aa29462fd98c9b13d3f8c12

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
64KB

MD5
167b8ac82aec4f00b4a3075f7c4f066c

SHA1
ce9e9c058cd1200339313c8df8c66c8bf0cbd343

SHA256
30113f42f9ed67b14be3b7bbc6cff4c2809e4f8250e97eb54273e299618ea7d1

SHA512
1bdd33e588f1a6f4b500eae35bfbc6db9de458cb9bd9497e1f5f10d2e8863fafd43aab476c345c458b7dbe86261f2d769eea94e9ffe72911f6ee277130e1188a

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
64KB

MD5
315c578cf77a990f79dcbf6298304482

SHA1
ba2e10f6dc4f4776254a885c3e532ec2df3c92ee

SHA256
761676cd97f6368597354176abab090e1d08463e8b6f73d7bb73787d3a762091

SHA512
b59af75aca834f3d12e25bd65a7e7b42c39997e9b1471f95f93cfd746f7725919fecccf43549606b4c517fee6a846483d3c8c725a5676cde7deccef685a7d8b1

Download Submit
memory/400-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-521-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/512-560-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/548-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/720-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/732-539-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/732-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/732-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/736-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/736-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/748-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/844-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/844-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/880-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/928-198-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/976-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1268-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1428-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1588-533-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1776-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1852-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1876-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1876-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2012-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2088-252-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2272-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2308-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2444-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2476-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2528-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2564-515-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2592-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2632-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2640-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2664-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2764-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2772-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2804-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2812-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2824-485-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-21-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2844-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2968-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2988-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3100-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3168-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3176-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3220-567-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3240-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3240-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3244-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3412-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3468-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3564-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3640-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3688-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3696-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3744-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3848-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3916-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3956-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4004-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4004-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4188-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4308-546-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4340-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4368-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4392-173-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4456-553-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4552-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4556-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4560-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4592-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4596-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4748-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4760-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-222-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4816-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4844-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-497-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4948-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4960-481-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5048-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5136-574-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5180-581-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5224-588-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads