e3660a39fad3cfbd92dbc145bbd0b9ff914e8e86ce774a56a9c8ccc4500575ab

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 08:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5ad89217a9488c1cb34386c11ea199f0N.exe
Size

111KB
MD5

5ad89217a9488c1cb34386c11ea199f0
SHA1

4dafef60fe465abd4ac959b3e4cb3ae1eb2841a6
SHA256

e3660a39fad3cfbd92dbc145bbd0b9ff914e8e86ce774a56a9c8ccc4500575ab
SHA512

d98898ad0b0f7764b4caaba21babdde010569dbb404327216356b639bd3bbc1ed7072dad4217b30ded4c170d71ee62c6704cd41a62e1aafec06a63c666691c58
SSDEEP

3072:EExvhlpOyzARNe9w0v0wnJcefSXQHPTTAkvB5Ddj:EylpiKvtnJfKXqPTX7DB

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlgjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abjfqpji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bldgoeog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piceflpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidomjaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfjllnnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfjllnnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkmhgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciknefmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dllffa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjompqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aidomjaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfoegm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bliajd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mafofggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpbpecen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cidgdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciiaogon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkeipk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nofoki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mhpgca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Albkieqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cefoni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlefjnno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Piolkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Namegfql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfpghccm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbgqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	5ad89217a9488c1cb34386c11ea199f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlgjhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nakhaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbefln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nofoki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cekhihig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Okailj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clgmkbna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bifkcioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dipgpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bifkcioc.exe

Executes dropped EXE 64 IoCs

pid	Process
1916	Mekdffee.exe
4812	Mkgmoncl.exe
2412	Maaekg32.exe
5064	Mdpagc32.exe
4448	Mlgjhp32.exe
4444	Mkjjdmaj.exe
1776	Mlifnphl.exe
692	Mafofggd.exe
4304	Mhpgca32.exe
3696	Mojopk32.exe
2340	Mahklf32.exe
4908	Nlnpio32.exe
3688	Nakhaf32.exe
2464	Nkcmjlio.exe
1460	Namegfql.exe
3456	Ndlacapp.exe
4120	Nkeipk32.exe
2172	Ncmaai32.exe
4872	Nlefjnno.exe
2232	Nocbfjmc.exe
860	Ndpjnq32.exe
4268	Nofoki32.exe
4128	Nfpghccm.exe
1592	Oljoen32.exe
4964	Obfhmd32.exe
2960	Odedipge.exe
676	Ollljmhg.exe
3180	Odgqopeb.exe
5012	Okailj32.exe
4276	Ochamg32.exe
2992	Ofgmib32.exe
3160	Ocknbglo.exe
4132	Ofijnbkb.exe
4400	Omcbkl32.exe
4100	Ocmjhfjl.exe
1420	Pdngpo32.exe
2284	Pmeoqlpl.exe
2812	Pilpfm32.exe
4544	Pofhbgmn.exe
3536	Pbddobla.exe
1004	Piolkm32.exe
2120	Pkmhgh32.exe
648	Pbgqdb32.exe
1644	Peempn32.exe
948	Pcfmneaa.exe
4460	Pfeijqqe.exe
4064	Piceflpi.exe
4284	Pomncfge.exe
3176	Qfgfpp32.exe
544	Qkdohg32.exe
4536	Qbngeadf.exe
2808	Qihoak32.exe
1568	Qkfkng32.exe
1080	Aflpkpjm.exe
3428	Amfhgj32.exe
2784	Acppddig.exe
3616	Aealll32.exe
4528	Apgqie32.exe
4904	Afqifo32.exe
3184	Aioebj32.exe
2432	Apimodmh.exe
664	Afceko32.exe
4160	Aiabhj32.exe
3304	Apkjddke.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ofijnbkb.exe	Ocknbglo.exe
File created	C:\Windows\SysWOW64\Debaqh32.dll	Ocmjhfjl.exe
File created	C:\Windows\SysWOW64\Qebeaf32.dll	Pomncfge.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dpllbp32.exe
File opened for modification	C:\Windows\SysWOW64\Nlefjnno.exe	Ncmaai32.exe
File opened for modification	C:\Windows\SysWOW64\Pbgqdb32.exe	Pkmhgh32.exe
File created	C:\Windows\SysWOW64\Hiagoigj.dll	Cidgdg32.exe
File created	C:\Windows\SysWOW64\Hodcma32.dll	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Dfakcj32.exe	Dpgbgpbe.exe
File created	C:\Windows\SysWOW64\Khhmbdka.dll	Piceflpi.exe
File created	C:\Windows\SysWOW64\Albkieqj.exe	Aidomjaf.exe
File opened for modification	C:\Windows\SysWOW64\Blknpdho.exe	Bfoegm32.exe
File created	C:\Windows\SysWOW64\Dfhegp32.dll	Obfhmd32.exe
File opened for modification	C:\Windows\SysWOW64\Apkjddke.exe	Aiabhj32.exe
File created	C:\Windows\SysWOW64\Jfdqcf32.dll	Bfhofnpp.exe
File opened for modification	C:\Windows\SysWOW64\Cdebfago.exe	Bmkjig32.exe
File created	C:\Windows\SysWOW64\Dpjompqc.exe	Dipgpf32.exe
File created	C:\Windows\SysWOW64\Lchfjc32.dll	Oljoen32.exe
File opened for modification	C:\Windows\SysWOW64\Ochamg32.exe	Okailj32.exe
File opened for modification	C:\Windows\SysWOW64\Piceflpi.exe	Pfeijqqe.exe
File opened for modification	C:\Windows\SysWOW64\Qfgfpp32.exe	Pomncfge.exe
File opened for modification	C:\Windows\SysWOW64\Ddekmo32.exe	Dpjompqc.exe
File created	C:\Windows\SysWOW64\Nocbfjmc.exe	Nlefjnno.exe
File opened for modification	C:\Windows\SysWOW64\Nfpghccm.exe	Nofoki32.exe
File opened for modification	C:\Windows\SysWOW64\Apgqie32.exe	Aealll32.exe
File created	C:\Windows\SysWOW64\Mjdmlonn.dll	Cdgolq32.exe
File created	C:\Windows\SysWOW64\Oihlnd32.dll	Dllffa32.exe
File created	C:\Windows\SysWOW64\Cfjeckpj.exe	Cekhihig.exe
File created	C:\Windows\SysWOW64\Imdnon32.dll	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Gdojoeki.dll	Okailj32.exe
File created	C:\Windows\SysWOW64\Pkmhgh32.exe	Piolkm32.exe
File created	C:\Windows\SysWOW64\Aealll32.exe	Acppddig.exe
File created	C:\Windows\SysWOW64\Mbgjlq32.dll	Bfjllnnm.exe
File opened for modification	C:\Windows\SysWOW64\Bliajd32.exe	Bpbpecen.exe
File opened for modification	C:\Windows\SysWOW64\Oljoen32.exe	Nfpghccm.exe
File created	C:\Windows\SysWOW64\Miiepfpf.dll	Ofijnbkb.exe
File created	C:\Windows\SysWOW64\Cfhhml32.exe	Cdjlap32.exe
File opened for modification	C:\Windows\SysWOW64\Ciknefmk.exe	Cbaehl32.exe
File created	C:\Windows\SysWOW64\Dbhlikpf.exe	Ddekmo32.exe
File opened for modification	C:\Windows\SysWOW64\Pofhbgmn.exe	Pilpfm32.exe
File created	C:\Windows\SysWOW64\Kialcj32.dll	Pfeijqqe.exe
File created	C:\Windows\SysWOW64\Lhlaofoa.dll	Apgqie32.exe
File created	C:\Windows\SysWOW64\Mkgmoncl.exe	Mekdffee.exe
File created	C:\Windows\SysWOW64\Dkheoa32.dll	Mlgjhp32.exe
File opened for modification	C:\Windows\SysWOW64\Mahklf32.exe	Mojopk32.exe
File created	C:\Windows\SysWOW64\Flcmpceo.dll	Mojopk32.exe
File created	C:\Windows\SysWOW64\Ocmjhfjl.exe	Omcbkl32.exe
File created	C:\Windows\SysWOW64\Apimodmh.exe	Aioebj32.exe
File opened for modification	C:\Windows\SysWOW64\Mekdffee.exe	5ad89217a9488c1cb34386c11ea199f0N.exe
File created	C:\Windows\SysWOW64\Odpldj32.dll	Ollljmhg.exe
File created	C:\Windows\SysWOW64\Dojahakp.dll	Bliajd32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhhml32.exe	Cdjlap32.exe
File created	C:\Windows\SysWOW64\Cfioldni.dll	Mkjjdmaj.exe
File created	C:\Windows\SysWOW64\Mhpgca32.exe	Mafofggd.exe
File created	C:\Windows\SysWOW64\Kefjdppe.dll	Mlifnphl.exe
File opened for modification	C:\Windows\SysWOW64\Ndpjnq32.exe	Nocbfjmc.exe
File created	C:\Windows\SysWOW64\Odedipge.exe	Obfhmd32.exe
File created	C:\Windows\SysWOW64\Bkpjjj32.dll	Ciiaogon.exe
File created	C:\Windows\SysWOW64\Ciknefmk.exe	Cbaehl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmjlio.exe	Nakhaf32.exe
File created	C:\Windows\SysWOW64\Nkeipk32.exe	Ndlacapp.exe
File created	C:\Windows\SysWOW64\Amfhgj32.exe	Aflpkpjm.exe
File created	C:\Windows\SysWOW64\Bebggf32.dll	Nofoki32.exe
File opened for modification	C:\Windows\SysWOW64\Odgqopeb.exe	Ollljmhg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5636	4568	WerFault.exe	199

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obfhmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciiaogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfakcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maaekg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mafofggd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciknefmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ad89217a9488c1cb34386c11ea199f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkeipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfjllnnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhhml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkgmoncl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nakhaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oljoen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgqopeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiabhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkjjdmaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Peempn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjlap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlifnphl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nocbfjmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ollljmhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddekmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnpio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okailj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcbkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acppddig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cefoni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhpgca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ochamg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocknbglo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afceko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mahklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndlacapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpbpecen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Namegfql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piceflpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bliajd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dipgpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefjnno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbgqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defheg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpjnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofijnbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdngpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bifkcioc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bldgoeog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clgmkbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddqbbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmnpfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlgjhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbcignbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdgolq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfpghccm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pilpfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgqie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apkjddke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofoki32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhejfl32.dll"	Mhpgca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebggf32.dll"	Nofoki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbfndd32.dll"	Odgqopeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opepqban.dll"	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkjjdmaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cefoni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdnon32.dll"	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dipgpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Blknpdho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ollljmhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kialcj32.dll"	Pfeijqqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aiabhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfoegm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkcmjlio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cekhihig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdejagg.dll"	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mekdffee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maaekg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloojfj.dll"	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdphmfph.dll"	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecnjaee.dll"	Cekhihig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoggpbpn.dll"	Mekdffee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbnjfh32.dll"	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkafdjmc.dll"	Afceko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	5ad89217a9488c1cb34386c11ea199f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkjjdmaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkeipk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afceko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dllffa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5ad89217a9488c1cb34386c11ea199f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpacoj32.dll"	Pofhbgmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbeqlcg.dll"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nfpghccm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Piceflpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qkdohg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naapmhbn.dll"	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkgmoncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nofoki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpgnmlep.dll"	Cdjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iipkfmal.dll"	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfgfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aahgec32.dll"	Bpbpecen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fobkem32.dll"	Apimodmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Peempn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofndo32.dll"	Blknpdho.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 1916	4892	5ad89217a9488c1cb34386c11ea199f0N.exe	90
PID 4892 wrote to memory of 1916	4892	5ad89217a9488c1cb34386c11ea199f0N.exe	90
PID 4892 wrote to memory of 1916	4892	5ad89217a9488c1cb34386c11ea199f0N.exe	90
PID 1916 wrote to memory of 4812	1916	Mekdffee.exe	91
PID 1916 wrote to memory of 4812	1916	Mekdffee.exe	91
PID 1916 wrote to memory of 4812	1916	Mekdffee.exe	91
PID 4812 wrote to memory of 2412	4812	Mkgmoncl.exe	92
PID 4812 wrote to memory of 2412	4812	Mkgmoncl.exe	92
PID 4812 wrote to memory of 2412	4812	Mkgmoncl.exe	92
PID 2412 wrote to memory of 5064	2412	Maaekg32.exe	93
PID 2412 wrote to memory of 5064	2412	Maaekg32.exe	93
PID 2412 wrote to memory of 5064	2412	Maaekg32.exe	93
PID 5064 wrote to memory of 4448	5064	Mdpagc32.exe	95
PID 5064 wrote to memory of 4448	5064	Mdpagc32.exe	95
PID 5064 wrote to memory of 4448	5064	Mdpagc32.exe	95
PID 4448 wrote to memory of 4444	4448	Mlgjhp32.exe	96
PID 4448 wrote to memory of 4444	4448	Mlgjhp32.exe	96
PID 4448 wrote to memory of 4444	4448	Mlgjhp32.exe	96
PID 4444 wrote to memory of 1776	4444	Mkjjdmaj.exe	97
PID 4444 wrote to memory of 1776	4444	Mkjjdmaj.exe	97
PID 4444 wrote to memory of 1776	4444	Mkjjdmaj.exe	97
PID 1776 wrote to memory of 692	1776	Mlifnphl.exe	98
PID 1776 wrote to memory of 692	1776	Mlifnphl.exe	98
PID 1776 wrote to memory of 692	1776	Mlifnphl.exe	98
PID 692 wrote to memory of 4304	692	Mafofggd.exe	100
PID 692 wrote to memory of 4304	692	Mafofggd.exe	100
PID 692 wrote to memory of 4304	692	Mafofggd.exe	100
PID 4304 wrote to memory of 3696	4304	Mhpgca32.exe	101
PID 4304 wrote to memory of 3696	4304	Mhpgca32.exe	101
PID 4304 wrote to memory of 3696	4304	Mhpgca32.exe	101
PID 3696 wrote to memory of 2340	3696	Mojopk32.exe	102
PID 3696 wrote to memory of 2340	3696	Mojopk32.exe	102
PID 3696 wrote to memory of 2340	3696	Mojopk32.exe	102
PID 2340 wrote to memory of 4908	2340	Mahklf32.exe	103
PID 2340 wrote to memory of 4908	2340	Mahklf32.exe	103
PID 2340 wrote to memory of 4908	2340	Mahklf32.exe	103
PID 4908 wrote to memory of 3688	4908	Nlnpio32.exe	104
PID 4908 wrote to memory of 3688	4908	Nlnpio32.exe	104
PID 4908 wrote to memory of 3688	4908	Nlnpio32.exe	104
PID 3688 wrote to memory of 2464	3688	Nakhaf32.exe	105
PID 3688 wrote to memory of 2464	3688	Nakhaf32.exe	105
PID 3688 wrote to memory of 2464	3688	Nakhaf32.exe	105
PID 2464 wrote to memory of 1460	2464	Nkcmjlio.exe	107
PID 2464 wrote to memory of 1460	2464	Nkcmjlio.exe	107
PID 2464 wrote to memory of 1460	2464	Nkcmjlio.exe	107
PID 1460 wrote to memory of 3456	1460	Namegfql.exe	108
PID 1460 wrote to memory of 3456	1460	Namegfql.exe	108
PID 1460 wrote to memory of 3456	1460	Namegfql.exe	108
PID 3456 wrote to memory of 4120	3456	Ndlacapp.exe	109
PID 3456 wrote to memory of 4120	3456	Ndlacapp.exe	109
PID 3456 wrote to memory of 4120	3456	Ndlacapp.exe	109
PID 4120 wrote to memory of 2172	4120	Nkeipk32.exe	110
PID 4120 wrote to memory of 2172	4120	Nkeipk32.exe	110
PID 4120 wrote to memory of 2172	4120	Nkeipk32.exe	110
PID 2172 wrote to memory of 4872	2172	Ncmaai32.exe	111
PID 2172 wrote to memory of 4872	2172	Ncmaai32.exe	111
PID 2172 wrote to memory of 4872	2172	Ncmaai32.exe	111
PID 4872 wrote to memory of 2232	4872	Nlefjnno.exe	112
PID 4872 wrote to memory of 2232	4872	Nlefjnno.exe	112
PID 4872 wrote to memory of 2232	4872	Nlefjnno.exe	112
PID 2232 wrote to memory of 860	2232	Nocbfjmc.exe	113
PID 2232 wrote to memory of 860	2232	Nocbfjmc.exe	113
PID 2232 wrote to memory of 860	2232	Nocbfjmc.exe	113
PID 860 wrote to memory of 4268	860	Ndpjnq32.exe	114

C:\Users\Admin\AppData\Local\Temp\5ad89217a9488c1cb34386c11ea199f0N.exe
"C:\Users\Admin\AppData\Local\Temp\5ad89217a9488c1cb34386c11ea199f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\Mekdffee.exe
  C:\Windows\system32\Mekdffee.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\Mkgmoncl.exe
    C:\Windows\system32\Mkgmoncl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\SysWOW64\Maaekg32.exe
      C:\Windows\system32\Maaekg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Windows\SysWOW64\Mlgjhp32.exe
        
        C:\Windows\system32\Mlgjhp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Nlefjnno.exe
        
        C:\Windows\system32\Nlefjnno.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        32⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        41⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        46⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Qfgfpp32.exe
        
        C:\Windows\system32\Qfgfpp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        53⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Afqifo32.exe
        
        C:\Windows\system32\Afqifo32.exe
        60⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Afceko32.exe
        
        C:\Windows\system32\Afceko32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Apkjddke.exe
        
        C:\Windows\system32\Apkjddke.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\Abjfqpji.exe
        
        C:\Windows\system32\Abjfqpji.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4708
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Albkieqj.exe
        
        C:\Windows\system32\Albkieqj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2316
        
        C:\Windows\SysWOW64\Bfhofnpp.exe
        
        C:\Windows\system32\Bfhofnpp.exe
        69⤵
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Bifkcioc.exe
        
        C:\Windows\system32\Bifkcioc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Bldgoeog.exe
        
        C:\Windows\system32\Bldgoeog.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Bfjllnnm.exe
        
        C:\Windows\system32\Bfjllnnm.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\Bmddihfj.exe
        
        C:\Windows\system32\Bmddihfj.exe
        73⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Bpbpecen.exe
        
        C:\Windows\system32\Bpbpecen.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Bfoegm32.exe
        
        C:\Windows\system32\Bfoegm32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Blknpdho.exe
        
        C:\Windows\system32\Blknpdho.exe
        78⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Bbefln32.exe
        
        C:\Windows\system32\Bbefln32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Bmkjig32.exe
        
        C:\Windows\system32\Bmkjig32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        81⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Cefoni32.exe
        
        C:\Windows\system32\Cefoni32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Cdgolq32.exe
        
        C:\Windows\system32\Cdgolq32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Cdjlap32.exe
        
        C:\Windows\system32\Cdjlap32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Cfhhml32.exe
        
        C:\Windows\system32\Cfhhml32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Cekhihig.exe
        
        C:\Windows\system32\Cekhihig.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        88⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Clgmkbna.exe
        
        C:\Windows\system32\Clgmkbna.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        91⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Dllffa32.exe
        
        C:\Windows\system32\Dllffa32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        95⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Dipgpf32.exe
        
        C:\Windows\system32\Dipgpf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        103⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 420
        105⤵
        Program crash
        
        PID:5636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4568 -ip 4568
1⤵
PID:5464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
1⤵
PID:6140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afceko32.exe

Filesize
111KB

MD5
5d0dbdeab06bf0667f6bfb38f1555b17

SHA1
b32c3fa230f2e2d2d0dc6b4df137c5b602b89c70

SHA256
23712e7b4aba7b8e7766a3c21882b2266741510cc84ce8b64b80038a4d344c73

SHA512
55844c8258f3183c1523c56854e4663f1b82d562d666c3c5c08caa2bd1821b2f5beb6ed52df53d5a731ab8a39555d56efe9ff5e9474d6bed9ebaca362e990857

Download Submit
C:\Windows\SysWOW64\Balodg32.dll

Filesize
7KB

MD5
ea9347e335422a07bb24b1c7397543fc

SHA1
e054f55da5c3e63ead0d60f9e672170cc4d0518d

SHA256
5fd3ef9b6dbc42b5e7a8b5273cbc55d1041662f19d477b4d814ee4b1d7200b34

SHA512
d2aa805f84491490c2a0628c2d2b547921e335e73dbc2365f9880c34ee393f745b99caf3a72ae833ffde03d79809b1b7716a341116b5211a831a0a5abe0ba647

Download Submit
C:\Windows\SysWOW64\Bpbpecen.exe

Filesize
111KB

MD5
162b691bd5cf7954b08b8872121d2149

SHA1
efc4387ed62de1a1894da3187dd99cad5775fba3

SHA256
88bced41b5081f8ad102e94c55fd87e852cd12e7cde5c6525a7974b8f449f5f9

SHA512
ea203cae2fde1e9754efda3702efd298eb655dd277bb727c4f1a5442848850f80589ce55e70b532d7d6b53144ac9fba037cf2add1018831c606c0a4d0607edbf

Download Submit
C:\Windows\SysWOW64\Ciknefmk.exe

Filesize
111KB

MD5
4cc0d7c5861f221929b645fc57783542

SHA1
5cd337dc903ff8d614bdaa0d65250c227a6dc9c7

SHA256
b1b2661672052427b4a64dc5ebd2db51cf179d0506b1d120e8d949a33103c7c4

SHA512
efd764cf59fd9ad3283c219493ae355ee2db93d944bace55a77abd8eb91f22e8bf236bb430c0f15a447e4e171d14d8da5dd0b62c57757d568a5d5a9d5209fad4

Download Submit
C:\Windows\SysWOW64\Dpgbgpbe.exe

Filesize
111KB

MD5
491dc8fbeddb4036f90ce61f7cd1ca29

SHA1
db96d6579aebc8b21b288561b1826393642e3a90

SHA256
c77888c96f78a9dcd2233a41149f86c64f5a94710c3ffe360b8d8679ccf891cc

SHA512
5b2233c5394fd628b9dc555ab1c2b07bdf55da6169752c65df825d00af43ecb651d327cfa21d8ee4a490c40e2858cf2205e0159ee61ddb22be191b42e652cac1

Download Submit
C:\Windows\SysWOW64\Maaekg32.exe

Filesize
111KB

MD5
a9478b08542a7e8771f296b59673252b

SHA1
3ea59ffee428a95777df87afd3bc2ce95a240ecc

SHA256
5fe0166fba3fca991f71211d97fd42607b99e8827e58a7b9b884ae26ca9774c9

SHA512
e1a7f1f90f5a045dd9ddf5d2b5a5e767004908a347466e772040702e2b7a68734876a4fa55137baa1ecec98bea68e316546c59b96e69ce59600e361f3449a4cf

Download Submit
C:\Windows\SysWOW64\Mafofggd.exe

Filesize
111KB

MD5
3456184892938b45faa4573f9d2bd0a6

SHA1
b8bb9637c781cb761f3fb666569fe34a92c83a55

SHA256
746465cb7db22c5d0d2cadb8f5495409f93dd816f7ed9af0ec56c9bca37ac817

SHA512
e5af88fd54f3ff30abb651260d99f06f019bfb24d98dd50a79895d79048a85598ec4a3e5eff56bf4e5dbb9254c9c4f560541d524c34046872d2abf5cf91ea798

Download Submit
C:\Windows\SysWOW64\Mahklf32.exe

Filesize
111KB

MD5
f28429b2eef08185d073c97399ee1928

SHA1
baf21eb8a62318e7dd75c094e42ccfdd0c0c1de3

SHA256
345418ac74ea0b4d33b5ae96e5e988c0a104b37a1f989a53198a421baedb130f

SHA512
5fcae3a7956c09347c39ac556295f6dd61867c2a9bea36b1f256054f14ed9c583c0f3c7c413e2e55f40c34d4f0064cb741a706087cfb09e09c301dea78cf33cb

Download Submit
C:\Windows\SysWOW64\Mdpagc32.exe

Filesize
111KB

MD5
57e22511901433becc97c9eb42e57553

SHA1
0911b77204e201413d3b7d3ca2ad6c75a1686443

SHA256
07b45c08fd2984510a95749a2763f0595460e2d375f38efe1af9060800a94b14

SHA512
867f7aaff8a92174352827160a22452a48deaf2633d137513fcb6be7dd4d037029921d16812103252921f4a98cbad923561a7b895ecaf46632f51e0eb2300f49

Download Submit
C:\Windows\SysWOW64\Mekdffee.exe

Filesize
111KB

MD5
f95a104ec8de662948f15d91d20406cf

SHA1
ca2476133dfce7736b3cc2268e64fa17f31c647b

SHA256
41385a25570acfc0a5908979f7084fa6c1df2cd129669e45bd35f226492cb8c8

SHA512
5c37aa5bc4adcd44e99673dd7a4c08f721e7820460d43d1a902faac75486791faa6cc06c1d665673af2a4ed7db6aa01eb9916c386396ea07d6329f01d9bb5fea

Download Submit
C:\Windows\SysWOW64\Mhpgca32.exe

Filesize
111KB

MD5
142fa8de231a72d2888aba2d8e411ef3

SHA1
cbb606a87806461221956312b181f81a4e1b0358

SHA256
3c98dfbf1a9cdacb2233069c647ead27cdbf162bd2c11b1db38cf620ce1c584e

SHA512
6c3c1610fbd1e440dc2ef5aae6d9a4e0aca2177dc3d6895037c159c34e6bcc6669addfe21e22e25ee12004a0922bc86e1dcef60113060ddcaa5d6c017e710e6e

Download Submit
C:\Windows\SysWOW64\Mkgmoncl.exe

Filesize
111KB

MD5
74612595e71ab5145bdd8ec71fbe39ab

SHA1
1b023980d2ef0ee58dba9f81b8e13110ebd749f2

SHA256
95f6c283aa55be32b23f0510e6a455b0cd4e028d23da41b1e979b7ead5d95be6

SHA512
8239707b879ac4491307119fde678652faf51e287e6fdd7d2db75f80f9ce8d586117feb04270046473d367e2b934257453ddb0954563a25450e52c352f649d1f

Download Submit
C:\Windows\SysWOW64\Mkjjdmaj.exe

Filesize
111KB

MD5
f375a6e48819404450dd1871ba07c033

SHA1
716367737e035ce605867cfdcca0a15f8746bd92

SHA256
e19bfb34b09231ed6c352b0444087479bf0f21ce7b97bb71009fad7c146b5964

SHA512
ebfbebb17edcda2e7c18087f09b6ab6992df5b01fb8c8fecbb75f26ce8fbd23c96cbfc6abe3b4f4f43b5dfbb0ab73a471626f688c9e0c995f999bbf6ea493c76

Download Submit
C:\Windows\SysWOW64\Mlgjhp32.exe

Filesize
111KB

MD5
6a560fdd0586fbd8dcacf697183b6940

SHA1
0e4ca97999a9c1602d37ae8fb0fff14074a78c4b

SHA256
4433406d4b3a973f2988651130de11bfb28477eac3d88afcd30655ce6260f5bd

SHA512
6e0c06ad2b4c1f82898bea1553fa9b5251b632aadcc425b2fc5e036f757dd61fffc33c89ccbaebe540caa6c7bed248a3967df690b99943bc7f3f01e7ccf6c0c8

Download Submit
C:\Windows\SysWOW64\Mlifnphl.exe

Filesize
111KB

MD5
acc5fc2bedd7c44a9cc6f011fd5de540

SHA1
95b5d602033052f0bd0a53c7b641a5f8db8c1720

SHA256
5e79e218373a939aee384cf2427cc98ee96023d8c65d09d3cc8d885aead4c5f5

SHA512
66d68bd365fc5fc207e3cb7a6285ec1bd8dce97119991b56a720dcf204ded165c3e049c7618aec51a619c1d1480e0bc470a59525d1526e29cac8f2f5881f3008

Download Submit
C:\Windows\SysWOW64\Mojopk32.exe

Filesize
111KB

MD5
75a2fefec417f880ed4eecf35bae36e6

SHA1
9c04ad700b95921823865a36dae10fcde13b287f

SHA256
896797aa92b15e1ca6f9e1399942545043e0eb3244c21a811681cae21cf6d244

SHA512
3a7fbad5960b1cf11a13d40a76e63c79feb492531a4afb9cdb1985f0d58ca7a1fa96f4053e3bb8f8795bae3c5fb69cd65ad8bf3292c7f147aa902b15ef25f006

Download Submit
C:\Windows\SysWOW64\Nakhaf32.exe

Filesize
111KB

MD5
f57bd8e42cfecb4d392a1bf19243dfe0

SHA1
29fdfdbb18d60ffcf4ca851fda432ba747785b2e

SHA256
ad9a78c4e9e6dac5ec309f3f6fa82cf6f2e1a21ac34e2a73da41dd5bae27caa5

SHA512
02773beacf663cd4395fdc44f0f024f06870ab0b096acc8e517304ef0d3bc18ddb3e6b6e07f85c18d0bdb7010c960866a072225ad03ad78178ed92b29c4c00de

Download Submit
C:\Windows\SysWOW64\Namegfql.exe

Filesize
111KB

MD5
540a450c6efd810e5791562c3b3592e9

SHA1
9355b2175c5fccaed3976b0831b1b6369fb61342

SHA256
18a97a7e53d1f50b188fcd33efab816218ba9495d2f43430563ae4eb8932b4b2

SHA512
cc57eaf1c8865f210482b8d5bd04e9ed81dbd43aa0ce4deb77c3f9a8b57fa5b7c8499d77d3015889502327d4b481a54c40c1ba764e010fa93214b3280a167747

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
111KB

MD5
bbda77b962a863d2a7a90ad8ef6e1dec

SHA1
4a196850ebaacdbc3bfeb58ff9ece1f9e40f3f39

SHA256
04785e8325cbcc7db8b4962da6dfb002349e586cb7137d709d3c2d77acb16301

SHA512
c2eb562da30475fd8a921425317d9aaf6b2e4b3c3ad022938a43815361f2c2010915b2d6040841eae998dba17a01ae1e6abfc2abada64bd71c5eeacbca325b18

Download Submit
C:\Windows\SysWOW64\Ndlacapp.exe

Filesize
111KB

MD5
c7db82416acd8699bf56a8ceeb05cf0c

SHA1
9b66db37685b3d67a7f51f0d809aa1d322fded89

SHA256
7b3f632446c68478d95b5549e8fa2d2a7e2aa32718573c9da13631e81c2c019d

SHA512
af29a0c459e836b1742ba28b56bfd34cfca9d6bd4be18350bdc9a16109ea8dcea9f650e136c43a2f88f30404fa96b84ad940202ec6b8d819b9460a418ed6c030

Download Submit
C:\Windows\SysWOW64\Ndpjnq32.exe

Filesize
111KB

MD5
c12ad96e9a3970a643e1b105dd9b0d6e

SHA1
e9eb05409f28d8bf8d545de77ad36ab85c0d0582

SHA256
53fcc9e2a6070bcee9c984eee1477175bd43dcae33d54df5209e09eebfe29fd4

SHA512
b389f364323dc46a7fcf08bd71a138a1b5feab84c858dd93c9ec8e632ce72d856b01751289bc1f5b87bf08f5b1e14d43dff63900d1190c25982a6784ca590197

Download Submit
C:\Windows\SysWOW64\Nfpghccm.exe

Filesize
111KB

MD5
666a14ec08462face67ff565d5b30321

SHA1
773392b2701af8c1941be130aa037ebc22acfea7

SHA256
80370dc2c84a6dee6e614ef1cba4ee2344bb919629e62d41b8ba67a87f97c4d4

SHA512
24bf20874ffc163d56265e08744ca54ef5dc885144873947d9975b9a07351b46068f0dba213135ca758007fc84c40f938fce97d9d7bcd97b47ee656cb263c339

Download Submit
C:\Windows\SysWOW64\Nkcmjlio.exe

Filesize
111KB

MD5
ed144661d69e5ef277fe6f5eb553e92f

SHA1
d6215156d427a5fe73563102e29140424ab06405

SHA256
0dc1ecab840b98f1308ba38ec6bfd82ac8502d799350a206ab5347f24ce9ad85

SHA512
b37bc880fbe933384a845e6343962e3686a205f210f2f57724bb0100816193a581d4646046b028754d7e6d878a53cf4f2d8457d4679988a49367f54b9175cdf0

Download Submit
C:\Windows\SysWOW64\Nkeipk32.exe

Filesize
111KB

MD5
3a1939a062bbdf9d5a0c0c535b849494

SHA1
c6ee2ff325c0e19cb79553a5b421ecb83d6d71ae

SHA256
15f989c91eee4814fef2882eec92a175a979db04ba1c24a374a081ac4a4c86f9

SHA512
e69416cbbb1339fb77f31789fac5d7e2e2b6fc63b76bfd94613868710db3bff22efdbd6bbd3816f3a07ac1df70f28da1904facd243f6ed20206e6abcb2590b4f

Download Submit
C:\Windows\SysWOW64\Nlefjnno.exe

Filesize
111KB

MD5
69b938ab191a9e91b6468c1c99cc643c

SHA1
48b08d8f63456f701105ca975c3b8549c5437ff4

SHA256
30e7e07ec4304831c7055dcccc051364ee255101c6eaead0f349de1c71aed263

SHA512
c769424c088488c01d0e83053623c94d42945c44efff39313926aaa51ccb8354292b89784956a90408113bfa768613040e683183fb5544da921de44866834b8f

Download Submit
C:\Windows\SysWOW64\Nlnpio32.exe

Filesize
111KB

MD5
fedb7d472b190eb75368f66c43fe3947

SHA1
521726b026ea39ef993ed190acf0a986181dc1a0

SHA256
36f34272d8fe7cceb77bdb037b95cd1e8a27ec1a5591da326c2c3b2afb6735fd

SHA512
9d055db61412c7e5aa5b86804307fa8b200263ff341c08cdd0cadd7ddbbd298c32b0f5dd5e84a3a78b7303dee58cefbcaf9bfe827ff779951f33b1289ee570ec

Download Submit
C:\Windows\SysWOW64\Nocbfjmc.exe

Filesize
111KB

MD5
7cdc94eea9b239b294754764b8feea2b

SHA1
7be402d1a023ca5bf38bba92eb0dd5c827dda63b

SHA256
795d6889dd5eb18b722819b2b06e243fda0a991165dfdbb83465fa40622fe713

SHA512
2e1aaf3143e5adcd32116743c3d9bb08ecfa2ee15e6128a727d8fb65d84e2441f45125f137d7c426f09776d1113597fe9ff3b1ae41d91fb3456a3e5c8fc102cb

Download Submit
C:\Windows\SysWOW64\Nofoki32.exe

Filesize
111KB

MD5
3e23d78c38c27abca5d4b2607a48eaea

SHA1
d328a74329464d385bfbc53c2159bd2f674b2041

SHA256
b18cdbcd3c10e9034c06065139e79cb333639de3454ad44113d6ffd563d6cbc5

SHA512
efe040bc76371ebc65eee466369a98d5bbcd4177c9a4dcd2a41cb4ff99b96514b5fb71845500bfc91e2e1ac0cc15eac8c25150e6d00aa03776ca4ceadb0ed41f

Download Submit
C:\Windows\SysWOW64\Obfhmd32.exe

Filesize
111KB

MD5
ebba5de5f63fa4f922b996561b344b94

SHA1
f99ab4ca862a173a79769472f9676c30f1331b45

SHA256
2d46faca252870e3a9d475cc71780ad17a9b1dd44c213a5a7cd09e3ae9d6d3a5

SHA512
8953fafdec2b71dbe8aa0c99d264268526fe0eb717d8799982ad15616f49c0c3f64cb8d18e8090ee82e04655297baccb4bba723a46c98d63689cdef8294420df

Download Submit
C:\Windows\SysWOW64\Ochamg32.exe

Filesize
111KB

MD5
ccf55679744bd239d67dce5fd965f00f

SHA1
bc4b316aa300079671785ab72c97b2f6d2d4b931

SHA256
453fa63c118c79e3482b69fcbe7229b9f7666e026243da8466d6948d3e76b2df

SHA512
43f67e2903e893f55579ace51efb511009757543641548821c26ecc291a3886082047a376d1064dca2cce1dc34350b3fc56b3e0bb8d82c08c0c4849964dc86ea

Download Submit
C:\Windows\SysWOW64\Ocknbglo.exe

Filesize
111KB

MD5
a56f70873f1fe970e3a04847d574468c

SHA1
d4df7c8a90cdebac5ade2bf8235574cccb91c111

SHA256
39d7808c73ffb7ca3c90626a22a62190d47e5f1da1f3da57320831fcce26f3e3

SHA512
ee27e9df411e179fa628ed02e62a363b9071f47b9360d66cc425d0e44e6f5867101aaeb97612df0bac8c4985a5e18b078a1ce5ba6751bd10d3ae4eb97e5064f3

Download Submit
C:\Windows\SysWOW64\Odedipge.exe

Filesize
111KB

MD5
81100aa6595e62199411493ae5e040e7

SHA1
ddccdbf1cd9e1aa36cace9afb79007324fd3ad01

SHA256
f2d1d36287f85039924aaf08c6f3b93197976af1e67c72085fc75d3ce50dae83

SHA512
d2f28bb979b2fb3c4f059418720b68c54905c0128bd3a52177ee01190149122b327df82ec0d72b043e6fb3a0b798f6d9776a5584e3dcca2f765595f61554c97c

Download Submit
C:\Windows\SysWOW64\Odgqopeb.exe

Filesize
111KB

MD5
2b9c478c6dece841c940d722ac163cee

SHA1
29f57bcc5d0b3e953fd09c13547d298908ef3418

SHA256
66038d2801cd1d732e5a5aec81fc9b09125a9455ee4360265e61be4a3e79a03e

SHA512
4bdc693d9ebcd3a2ac0b2bcf54871b5942c40c21d448c57e2ee57f637bdf5bfd68f3da2fbfc733dad6557665dda4add1eab66187ee1007d62c9ddcf2cfc1a606

Download Submit
C:\Windows\SysWOW64\Ofgmib32.exe

Filesize
111KB

MD5
197f60d6ff16875999a39041977c75fa

SHA1
7ed24a719d7371ba0f16365e97d8876cbb23313f

SHA256
e69af1aa7d765a80343019e522312b5c8eb4819e09f520780e35ebd945d9701e

SHA512
ab85cd816b3773258a52bc6e7cca41886e7b8f0e0d2e9eee6e3ea97674ab703cde0ceff1340d789b65542a34e6235b07193370d7974b54468959a905293b9149

Download Submit
C:\Windows\SysWOW64\Okailj32.exe

Filesize
111KB

MD5
d845436c5b661f464bbbfdbed87e4a7c

SHA1
998e4653dc77f8064dea1b5f755294b1c08ecad0

SHA256
f66ad083e3bdc4502b5836799d77dca5e115b736a04f0864889bb0a553868b63

SHA512
0af9a15f6397726e30290a6d53d5bb38010075b34f5c805f20fe1b15d16f65e036d8099ccb4cde2e8b224d784ef5134a03bc1057ec002f9b00dc3c0d0f22ab17

Download Submit
C:\Windows\SysWOW64\Oljoen32.exe

Filesize
111KB

MD5
33771091b47e6566fbfd8fe2ee489d3a

SHA1
90560dfc0d1a5d792cddff4c37c9fb7c34779d44

SHA256
640f8aa4f53e4fa4648111767e549f94ff839ebab162838f88f76328d17a535a

SHA512
83235b20acc9d058f94685bd06427f7621813b41368ba501602b17ec3a3527f627ccd8db60bae916436e22e9630475a9a91a513c66e1bb329d7453a1b6878af4

Download Submit
C:\Windows\SysWOW64\Ollljmhg.exe

Filesize
111KB

MD5
eb1cf1dcb263d0709ac9a0f9963659a3

SHA1
37921dbbf92954cd32303041b43f5f0dd176921d

SHA256
5b8f4d3f18d741d89a876f0597b64321382b8f2481f14f06f7a49f6be9d64433

SHA512
6c73aee670b56bddec96a757841041b2e5e36af37e0314c3a0491919c7920f0aadd2e1fae68f7540d26ba44135642de598f4cc55542194047c730712ffd19f2d

Download Submit
C:\Windows\SysWOW64\Pcfmneaa.exe

Filesize
111KB

MD5
36d498628788691082527d4b7dc0254e

SHA1
64c04a51ea66bb7254f06cdfbc75e24a9ac237cb

SHA256
7937e25e79ee1e6cc94dd5c8c4cbfecce93c16cf08061e6a8eaf19de402e5bd6

SHA512
3da9802b2da0f2a2c565b78112ab410246cf6a0b0442f4a7b3ae402859a79c473711bc9afdacd8c4b0e10fa1383e130a73f13039086e1ef0a8761c15172b7a59

Download Submit
C:\Windows\SysWOW64\Pmeoqlpl.exe

Filesize
111KB

MD5
6c35b8a7a6efeaca1a0b04389f660ae3

SHA1
b88e01b1108e2930d09950d4032151cab04ef253

SHA256
b8b8aa026f5dacbc871b891489de94fbf92598a8f6f24e83f373198ba4e987a6

SHA512
c22ef5f622726ebf3ce1398239cae4ecd8618ee3693e1682e629efa972302a321fb8e1205fdbd4dc63682024db102b20b8ce557604b5638af7bb1fba564828b5

Download Submit
memory/544-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/648-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/664-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/676-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/692-599-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/692-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/860-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/948-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1004-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1080-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1420-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1460-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1568-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1592-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1776-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1776-592-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1916-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1916-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2120-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2172-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2232-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2284-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2316-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2340-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2412-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2412-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2432-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2464-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2784-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2808-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2812-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2960-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2992-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3060-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3160-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3176-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3180-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3184-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3304-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3428-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3456-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3536-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3616-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3688-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3696-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4064-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4100-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4120-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4128-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4132-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4160-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4268-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4276-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4284-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4304-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4400-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-585-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4448-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4448-578-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4460-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4528-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4536-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4544-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4708-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4812-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4812-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4872-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4892-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4892-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4904-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4908-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4964-205-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5012-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5064-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5124-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5164-481-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5204-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5244-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5288-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5328-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5368-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5436-518-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5484-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5532-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5572-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5612-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5652-545-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5696-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5740-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5784-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5828-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5868-582-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5912-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5960-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads