2889458d79fe98afcab1c80950b163690161a0d5550726662e0bc923ecad7ff0

Analysis

max time kernel
113s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2dfa30bd67b97b1930bcb5afa041c30N.exe
Size

177KB
MD5

c2dfa30bd67b97b1930bcb5afa041c30
SHA1

0848f515a460bebdb10c7425b9576831c3268552
SHA256

2889458d79fe98afcab1c80950b163690161a0d5550726662e0bc923ecad7ff0
SHA512

ccb14ee94783305fc1ac0f178c8ab8fb708c08c8a858628e5f68e8e776c7dd824cbf9d6199ebaa2a91435649d35a350feb95ffe40ebd84d2f1e70f1d421baec8
SSDEEP

3072:wwfkQWvg3/Mg3q/haR5sS+vfvLHhjh8g1eGFyOsa:RfmEMga/harSvLHh98gwG0ON

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miapbpmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnodgbed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbjifgcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clnehado.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfjkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khojcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbgkfbbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilfgq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfpnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okkkoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nldahn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oggeokoq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clnehado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djafaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efhcej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbfjkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Padccpal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfhgggim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okpdjjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnflae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epcddopf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbjifgcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebcmfj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcikog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfchqf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egpena32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmmhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aahimb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dochelmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgqion32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqngcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjklb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okkkoj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okpdjjil.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqddmd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjklb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiokholk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqkpmaif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnofaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcpbik32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qblfkgqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djafaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eikimeff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcikog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmficl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkelpd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpdankjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpdankjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moenkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dochelmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khojcj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfkclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqddmd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c2dfa30bd67b97b1930bcb5afa041c30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcnfdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdpohodn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpbik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgqion32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdpohodn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnflae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Padccpal.exe

Executes dropped EXE 51 IoCs

pid	Process
3016	Jcfoihhp.exe
1920	Jcikog32.exe
2692	Kmficl32.exe
2496	Khojcj32.exe
2960	Lbgkfbbj.exe
632	Lkelpd32.exe
1916	Lpdankjg.exe
1192	Lilfgq32.exe
1032	Miapbpmb.exe
2804	Mlahdkjc.exe
2036	Mdmmhn32.exe
2344	Moenkf32.exe
1856	Nnjklb32.exe
2080	Ndfpnl32.exe
2932	Nnodgbed.exe
2316	Nldahn32.exe
1208	Okkkoj32.exe
616	Oiokholk.exe
1520	Oqkpmaif.exe
1656	Okpdjjil.exe
1908	Oggeokoq.exe
2848	Pcnfdl32.exe
1328	Pcpbik32.exe
1736	Padccpal.exe
360	Pfchqf32.exe
2432	Pbjifgcd.exe
2648	Qblfkgqb.exe
3048	Qjgjpi32.exe
2180	Qdpohodn.exe
2176	Amhcad32.exe
2504	Apilcoho.exe
2972	Aahimb32.exe
2112	Bnofaf32.exe
656	Cnflae32.exe
1052	Cnhhge32.exe
1988	Clnehado.exe
2032	Djafaf32.exe
1892	Dfhgggim.exe
668	Dfkclf32.exe
2092	Dochelmj.exe
2448	Dqddmd32.exe
2992	Dgqion32.exe
2328	Eddjhb32.exe
1188	Efhcej32.exe
940	Eqngcc32.exe
2360	Epcddopf.exe
1620	Eikimeff.exe
2800	Ebcmfj32.exe
2416	Egpena32.exe
2308	Fbfjkj32.exe
864	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
2724	c2dfa30bd67b97b1930bcb5afa041c30N.exe
2724	c2dfa30bd67b97b1930bcb5afa041c30N.exe
3016	Jcfoihhp.exe
3016	Jcfoihhp.exe
1920	Jcikog32.exe
1920	Jcikog32.exe
2692	Kmficl32.exe
2692	Kmficl32.exe
2496	Khojcj32.exe
2496	Khojcj32.exe
2960	Lbgkfbbj.exe
2960	Lbgkfbbj.exe
632	Lkelpd32.exe
632	Lkelpd32.exe
1916	Lpdankjg.exe
1916	Lpdankjg.exe
1192	Lilfgq32.exe
1192	Lilfgq32.exe
1032	Miapbpmb.exe
1032	Miapbpmb.exe
2804	Mlahdkjc.exe
2804	Mlahdkjc.exe
2036	Mdmmhn32.exe
2036	Mdmmhn32.exe
2344	Moenkf32.exe
2344	Moenkf32.exe
1856	Nnjklb32.exe
1856	Nnjklb32.exe
2080	Ndfpnl32.exe
2080	Ndfpnl32.exe
2932	Nnodgbed.exe
2932	Nnodgbed.exe
2316	Nldahn32.exe
2316	Nldahn32.exe
1208	Okkkoj32.exe
1208	Okkkoj32.exe
616	Oiokholk.exe
616	Oiokholk.exe
1520	Oqkpmaif.exe
1520	Oqkpmaif.exe
1656	Okpdjjil.exe
1656	Okpdjjil.exe
1908	Oggeokoq.exe
1908	Oggeokoq.exe
2848	Pcnfdl32.exe
2848	Pcnfdl32.exe
1328	Pcpbik32.exe
1328	Pcpbik32.exe
1736	Padccpal.exe
1736	Padccpal.exe
360	Pfchqf32.exe
360	Pfchqf32.exe
2432	Pbjifgcd.exe
2432	Pbjifgcd.exe
2648	Qblfkgqb.exe
2648	Qblfkgqb.exe
3048	Qjgjpi32.exe
3048	Qjgjpi32.exe
2180	Qdpohodn.exe
2180	Qdpohodn.exe
2176	Amhcad32.exe
2176	Amhcad32.exe
2504	Apilcoho.exe
2504	Apilcoho.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Padccpal.exe	Pcpbik32.exe
File opened for modification	C:\Windows\SysWOW64\Qblfkgqb.exe	Pbjifgcd.exe
File created	C:\Windows\SysWOW64\Ejnbekph.dll	Dfhgggim.exe
File created	C:\Windows\SysWOW64\Jcikog32.exe	Jcfoihhp.exe
File created	C:\Windows\SysWOW64\Lbeede32.dll	Miapbpmb.exe
File created	C:\Windows\SysWOW64\Cdeffdbl.dll	Oggeokoq.exe
File created	C:\Windows\SysWOW64\Qjgjpi32.exe	Qblfkgqb.exe
File created	C:\Windows\SysWOW64\Djafaf32.exe	Clnehado.exe
File opened for modification	C:\Windows\SysWOW64\Epcddopf.exe	Eqngcc32.exe
File created	C:\Windows\SysWOW64\Panfjh32.dll	Eddjhb32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjklb32.exe	Moenkf32.exe
File opened for modification	C:\Windows\SysWOW64\Oiokholk.exe	Okkkoj32.exe
File created	C:\Windows\SysWOW64\Pjcpccaf.dll	Qjgjpi32.exe
File created	C:\Windows\SysWOW64\Dqddmd32.exe	Dochelmj.exe
File created	C:\Windows\SysWOW64\Jbaajccm.dll	Dochelmj.exe
File created	C:\Windows\SysWOW64\Elfkmcdp.dll	Dqddmd32.exe
File opened for modification	C:\Windows\SysWOW64\Ndfpnl32.exe	Nnjklb32.exe
File created	C:\Windows\SysWOW64\Hdpbking.dll	Efhcej32.exe
File created	C:\Windows\SysWOW64\Oomjld32.dll	Eqngcc32.exe
File created	C:\Windows\SysWOW64\Fbfjkj32.exe	Egpena32.exe
File created	C:\Windows\SysWOW64\Fjkjgclg.dll	Jcikog32.exe
File created	C:\Windows\SysWOW64\Khojcj32.exe	Kmficl32.exe
File opened for modification	C:\Windows\SysWOW64\Khojcj32.exe	Kmficl32.exe
File created	C:\Windows\SysWOW64\Iifpfl32.dll	Okpdjjil.exe
File created	C:\Windows\SysWOW64\Cnhhge32.exe	Cnflae32.exe
File created	C:\Windows\SysWOW64\Ckpmmabh.dll	Cnflae32.exe
File created	C:\Windows\SysWOW64\Fiakeijo.dll	Egpena32.exe
File created	C:\Windows\SysWOW64\Lbgkfbbj.exe	Khojcj32.exe
File opened for modification	C:\Windows\SysWOW64\Lkelpd32.exe	Lbgkfbbj.exe
File created	C:\Windows\SysWOW64\Pcnfdl32.exe	Oggeokoq.exe
File created	C:\Windows\SysWOW64\Lilfgq32.exe	Lpdankjg.exe
File created	C:\Windows\SysWOW64\Qblfkgqb.exe	Pbjifgcd.exe
File opened for modification	C:\Windows\SysWOW64\Dfhgggim.exe	Djafaf32.exe
File created	C:\Windows\SysWOW64\Cidcinlc.dll	Qdpohodn.exe
File opened for modification	C:\Windows\SysWOW64\Eddjhb32.exe	Dgqion32.exe
File opened for modification	C:\Windows\SysWOW64\Lbgkfbbj.exe	Khojcj32.exe
File created	C:\Windows\SysWOW64\Jckenobm.dll	Nnjklb32.exe
File opened for modification	C:\Windows\SysWOW64\Nldahn32.exe	Nnodgbed.exe
File opened for modification	C:\Windows\SysWOW64\Okkkoj32.exe	Nldahn32.exe
File created	C:\Windows\SysWOW64\Oipklb32.dll	Okkkoj32.exe
File created	C:\Windows\SysWOW64\Neplhe32.dll	Pfchqf32.exe
File opened for modification	C:\Windows\SysWOW64\Ebcmfj32.exe	Eikimeff.exe
File created	C:\Windows\SysWOW64\Oqkpmaif.exe	Oiokholk.exe
File created	C:\Windows\SysWOW64\Qgfhapbi.dll	Djafaf32.exe
File created	C:\Windows\SysWOW64\Eikimeff.exe	Epcddopf.exe
File created	C:\Windows\SysWOW64\Miapbpmb.exe	Lilfgq32.exe
File opened for modification	C:\Windows\SysWOW64\Miapbpmb.exe	Lilfgq32.exe
File created	C:\Windows\SysWOW64\Cdokfc32.dll	Oiokholk.exe
File opened for modification	C:\Windows\SysWOW64\Fbfjkj32.exe	Egpena32.exe
File opened for modification	C:\Windows\SysWOW64\Jcikog32.exe	Jcfoihhp.exe
File opened for modification	C:\Windows\SysWOW64\Mdmmhn32.exe	Mlahdkjc.exe
File created	C:\Windows\SysWOW64\Oggeokoq.exe	Okpdjjil.exe
File opened for modification	C:\Windows\SysWOW64\Apilcoho.exe	Amhcad32.exe
File created	C:\Windows\SysWOW64\Bfdbgnmd.dll	Ndfpnl32.exe
File opened for modification	C:\Windows\SysWOW64\Djafaf32.exe	Clnehado.exe
File created	C:\Windows\SysWOW64\Efhcej32.exe	Eddjhb32.exe
File opened for modification	C:\Windows\SysWOW64\Dqddmd32.exe	Dochelmj.exe
File created	C:\Windows\SysWOW64\Dgqion32.exe	Dqddmd32.exe
File opened for modification	C:\Windows\SysWOW64\Jcfoihhp.exe	c2dfa30bd67b97b1930bcb5afa041c30N.exe
File created	C:\Windows\SysWOW64\Ogcgmi32.dll	Lkelpd32.exe
File opened for modification	C:\Windows\SysWOW64\Oqkpmaif.exe	Oiokholk.exe
File created	C:\Windows\SysWOW64\Hkbbalfd.dll	Amhcad32.exe
File created	C:\Windows\SysWOW64\Aiheodlg.dll	Cnhhge32.exe
File created	C:\Windows\SysWOW64\Lbogaf32.dll	Clnehado.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2760	864	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efhcej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnofaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epcddopf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmficl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eikimeff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebcmfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddjhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okpdjjil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhcad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnflae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjklb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpdankjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmmhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiokholk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qblfkgqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdpohodn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dochelmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgqion32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcikog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkelpd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Padccpal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbgkfbbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhhge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqkpmaif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcfoihhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlahdkjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcnfdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djafaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfhgggim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqngcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbjifgcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfkclf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjgjpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfchqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clnehado.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lilfgq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okkkoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apilcoho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aahimb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpena32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfpnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khojcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miapbpmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moenkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnodgbed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nldahn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpbik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqddmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2dfa30bd67b97b1930bcb5afa041c30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfjkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oggeokoq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnodgbed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiokholk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okpdjjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlahdkjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c2dfa30bd67b97b1930bcb5afa041c30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkelpd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcpbik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmlmc32.dll"	Aahimb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpfjap32.dll"	Bnofaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebcmfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c2dfa30bd67b97b1930bcb5afa041c30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebcmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jailfk32.dll"	c2dfa30bd67b97b1930bcb5afa041c30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdokfc32.dll"	Oiokholk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfchqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfhapbi.dll"	Djafaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqngcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkelpd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbgkfbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Moenkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjklb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cidcinlc.dll"	Qdpohodn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clnehado.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfhgggim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahgd32.dll"	Dgqion32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhal32.dll"	Khojcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcikog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmmhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndfpnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfokdde.dll"	Nnodgbed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edeppfdk.dll"	Pbjifgcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcpccaf.dll"	Qjgjpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdpohodn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcfoihhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dochelmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiheodlg.dll"	Cnhhge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Padccpal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfchqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmficl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Padccpal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjgjpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgqion32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiakeijo.dll"	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oggeokoq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnenhj32.dll"	Jcfoihhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilfgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okenjhim.dll"	Apilcoho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnbekph.dll"	Dfhgggim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c2dfa30bd67b97b1930bcb5afa041c30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnofaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efhcej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomjld32.dll"	Eqngcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpdankjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neplhe32.dll"	Pfchqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfkclf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfpnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqkpmaif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfhgggim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnoe32.dll"	Moenkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnodgbed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipklb32.dll"	Okkkoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amhcad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdbgnmd.dll"	Ndfpnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcfoihhp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 3016	2724	c2dfa30bd67b97b1930bcb5afa041c30N.exe	30
PID 2724 wrote to memory of 3016	2724	c2dfa30bd67b97b1930bcb5afa041c30N.exe	30
PID 2724 wrote to memory of 3016	2724	c2dfa30bd67b97b1930bcb5afa041c30N.exe	30
PID 2724 wrote to memory of 3016	2724	c2dfa30bd67b97b1930bcb5afa041c30N.exe	30
PID 3016 wrote to memory of 1920	3016	Jcfoihhp.exe	31
PID 3016 wrote to memory of 1920	3016	Jcfoihhp.exe	31
PID 3016 wrote to memory of 1920	3016	Jcfoihhp.exe	31
PID 3016 wrote to memory of 1920	3016	Jcfoihhp.exe	31
PID 1920 wrote to memory of 2692	1920	Jcikog32.exe	32
PID 1920 wrote to memory of 2692	1920	Jcikog32.exe	32
PID 1920 wrote to memory of 2692	1920	Jcikog32.exe	32
PID 1920 wrote to memory of 2692	1920	Jcikog32.exe	32
PID 2692 wrote to memory of 2496	2692	Kmficl32.exe	33
PID 2692 wrote to memory of 2496	2692	Kmficl32.exe	33
PID 2692 wrote to memory of 2496	2692	Kmficl32.exe	33
PID 2692 wrote to memory of 2496	2692	Kmficl32.exe	33
PID 2496 wrote to memory of 2960	2496	Khojcj32.exe	34
PID 2496 wrote to memory of 2960	2496	Khojcj32.exe	34
PID 2496 wrote to memory of 2960	2496	Khojcj32.exe	34
PID 2496 wrote to memory of 2960	2496	Khojcj32.exe	34
PID 2960 wrote to memory of 632	2960	Lbgkfbbj.exe	35
PID 2960 wrote to memory of 632	2960	Lbgkfbbj.exe	35
PID 2960 wrote to memory of 632	2960	Lbgkfbbj.exe	35
PID 2960 wrote to memory of 632	2960	Lbgkfbbj.exe	35
PID 632 wrote to memory of 1916	632	Lkelpd32.exe	36
PID 632 wrote to memory of 1916	632	Lkelpd32.exe	36
PID 632 wrote to memory of 1916	632	Lkelpd32.exe	36
PID 632 wrote to memory of 1916	632	Lkelpd32.exe	36
PID 1916 wrote to memory of 1192	1916	Lpdankjg.exe	37
PID 1916 wrote to memory of 1192	1916	Lpdankjg.exe	37
PID 1916 wrote to memory of 1192	1916	Lpdankjg.exe	37
PID 1916 wrote to memory of 1192	1916	Lpdankjg.exe	37
PID 1192 wrote to memory of 1032	1192	Lilfgq32.exe	38
PID 1192 wrote to memory of 1032	1192	Lilfgq32.exe	38
PID 1192 wrote to memory of 1032	1192	Lilfgq32.exe	38
PID 1192 wrote to memory of 1032	1192	Lilfgq32.exe	38
PID 1032 wrote to memory of 2804	1032	Miapbpmb.exe	39
PID 1032 wrote to memory of 2804	1032	Miapbpmb.exe	39
PID 1032 wrote to memory of 2804	1032	Miapbpmb.exe	39
PID 1032 wrote to memory of 2804	1032	Miapbpmb.exe	39
PID 2804 wrote to memory of 2036	2804	Mlahdkjc.exe	40
PID 2804 wrote to memory of 2036	2804	Mlahdkjc.exe	40
PID 2804 wrote to memory of 2036	2804	Mlahdkjc.exe	40
PID 2804 wrote to memory of 2036	2804	Mlahdkjc.exe	40
PID 2036 wrote to memory of 2344	2036	Mdmmhn32.exe	41
PID 2036 wrote to memory of 2344	2036	Mdmmhn32.exe	41
PID 2036 wrote to memory of 2344	2036	Mdmmhn32.exe	41
PID 2036 wrote to memory of 2344	2036	Mdmmhn32.exe	41
PID 2344 wrote to memory of 1856	2344	Moenkf32.exe	42
PID 2344 wrote to memory of 1856	2344	Moenkf32.exe	42
PID 2344 wrote to memory of 1856	2344	Moenkf32.exe	42
PID 2344 wrote to memory of 1856	2344	Moenkf32.exe	42
PID 1856 wrote to memory of 2080	1856	Nnjklb32.exe	43
PID 1856 wrote to memory of 2080	1856	Nnjklb32.exe	43
PID 1856 wrote to memory of 2080	1856	Nnjklb32.exe	43
PID 1856 wrote to memory of 2080	1856	Nnjklb32.exe	43
PID 2080 wrote to memory of 2932	2080	Ndfpnl32.exe	44
PID 2080 wrote to memory of 2932	2080	Ndfpnl32.exe	44
PID 2080 wrote to memory of 2932	2080	Ndfpnl32.exe	44
PID 2080 wrote to memory of 2932	2080	Ndfpnl32.exe	44
PID 2932 wrote to memory of 2316	2932	Nnodgbed.exe	45
PID 2932 wrote to memory of 2316	2932	Nnodgbed.exe	45
PID 2932 wrote to memory of 2316	2932	Nnodgbed.exe	45
PID 2932 wrote to memory of 2316	2932	Nnodgbed.exe	45

C:\Users\Admin\AppData\Local\Temp\c2dfa30bd67b97b1930bcb5afa041c30N.exe
"C:\Users\Admin\AppData\Local\Temp\c2dfa30bd67b97b1930bcb5afa041c30N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\Jcfoihhp.exe
  C:\Windows\system32\Jcfoihhp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\Jcikog32.exe
    C:\Windows\system32\Jcikog32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\Kmficl32.exe
      C:\Windows\system32\Kmficl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\Khojcj32.exe
        
        C:\Windows\system32\Khojcj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Windows\SysWOW64\Lbgkfbbj.exe
        
        C:\Windows\system32\Lbgkfbbj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Lkelpd32.exe
        
        C:\Windows\system32\Lkelpd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Lpdankjg.exe
        
        C:\Windows\system32\Lpdankjg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Lilfgq32.exe
        
        C:\Windows\system32\Lilfgq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Miapbpmb.exe
        
        C:\Windows\system32\Miapbpmb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Mlahdkjc.exe
        
        C:\Windows\system32\Mlahdkjc.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Mdmmhn32.exe
        
        C:\Windows\system32\Mdmmhn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Moenkf32.exe
        
        C:\Windows\system32\Moenkf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Nnjklb32.exe
        
        C:\Windows\system32\Nnjklb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Ndfpnl32.exe
        
        C:\Windows\system32\Ndfpnl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Nnodgbed.exe
        
        C:\Windows\system32\Nnodgbed.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Nldahn32.exe
        
        C:\Windows\system32\Nldahn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Okkkoj32.exe
        
        C:\Windows\system32\Okkkoj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Oiokholk.exe
        
        C:\Windows\system32\Oiokholk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\Oqkpmaif.exe
        
        C:\Windows\system32\Oqkpmaif.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Okpdjjil.exe
        
        C:\Windows\system32\Okpdjjil.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Oggeokoq.exe
        
        C:\Windows\system32\Oggeokoq.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Pcnfdl32.exe
        
        C:\Windows\system32\Pcnfdl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\Pcpbik32.exe
        
        C:\Windows\system32\Pcpbik32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Padccpal.exe
        
        C:\Windows\system32\Padccpal.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Pfchqf32.exe
        
        C:\Windows\system32\Pfchqf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:360
        
        C:\Windows\SysWOW64\Pbjifgcd.exe
        
        C:\Windows\system32\Pbjifgcd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Qblfkgqb.exe
        
        C:\Windows\system32\Qblfkgqb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Qjgjpi32.exe
        
        C:\Windows\system32\Qjgjpi32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Qdpohodn.exe
        
        C:\Windows\system32\Qdpohodn.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Amhcad32.exe
        
        C:\Windows\system32\Amhcad32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Apilcoho.exe
        
        C:\Windows\system32\Apilcoho.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Aahimb32.exe
        
        C:\Windows\system32\Aahimb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Bnofaf32.exe
        
        C:\Windows\system32\Bnofaf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Cnflae32.exe
        
        C:\Windows\system32\Cnflae32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:656
        
        C:\Windows\SysWOW64\Cnhhge32.exe
        
        C:\Windows\system32\Cnhhge32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Clnehado.exe
        
        C:\Windows\system32\Clnehado.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Djafaf32.exe
        
        C:\Windows\system32\Djafaf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Dfhgggim.exe
        
        C:\Windows\system32\Dfhgggim.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Dfkclf32.exe
        
        C:\Windows\system32\Dfkclf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Dochelmj.exe
        
        C:\Windows\system32\Dochelmj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Dqddmd32.exe
        
        C:\Windows\system32\Dqddmd32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\Dgqion32.exe
        
        C:\Windows\system32\Dgqion32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Eddjhb32.exe
        
        C:\Windows\system32\Eddjhb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\Efhcej32.exe
        
        C:\Windows\system32\Efhcej32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Eqngcc32.exe
        
        C:\Windows\system32\Eqngcc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Epcddopf.exe
        
        C:\Windows\system32\Epcddopf.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Eikimeff.exe
        
        C:\Windows\system32\Eikimeff.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Ebcmfj32.exe
        
        C:\Windows\system32\Ebcmfj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Egpena32.exe
        
        C:\Windows\system32\Egpena32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Fbfjkj32.exe
        
        C:\Windows\system32\Fbfjkj32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 140
        53⤵
        Program crash
        
        PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aahimb32.exe

Filesize
177KB

MD5
dcc997461e26838b00aa3a64108460fb

SHA1
dee58594e98b80905ac6c1ae000370dad14c687d

SHA256
d0d8c3797b5d3f841ced84d2ffc7759e67799cd02d160e1bb10d16f2825b990f

SHA512
f7728adc18b5f08312e58f47294c33ccb1ba813ff0dcb0d8274ad68cc9839625de9becd0f8d9e75c1b569ae4dec7b70798a96ba125c7c46d5e547fb9ceb3ff11

Download Submit
C:\Windows\SysWOW64\Amhcad32.exe

Filesize
177KB

MD5
da01cd06b65686c3a3da0627da7b63c5

SHA1
0a6880cbe00d6b922f6f4f8f2cdb4470b7d70331

SHA256
37b14410fb844a9bfe636bd86578ec394f4d7a468a715f8f7a217ba383e70d29

SHA512
81823c06c08d7b3a91f85b9e8e9ac7b683737237eca2dcbd1795a8863b75b9b09ac0ad8e5951a6dd433d72bf3bbcfdb14a3fba2de964326f715372de60d85de7

Download Submit
C:\Windows\SysWOW64\Apilcoho.exe

Filesize
177KB

MD5
b591c10872fa33f76a9bad56f1306966

SHA1
78afb2b9cd8bfef08e2cf26dcc3788ddcfb5376e

SHA256
e7eee6b81a54e3fb734b62a1518ad1b14b1b5cd17d7a938e63924c697d2f28d0

SHA512
3cd27e44435b6f318042a3f3b99da0db800a65572de8642a26f1057ab8804d9c76518608c6fc90562410ad728ce57cda0ad2175aef425f5676a9fe611d0d7dba

Download Submit
C:\Windows\SysWOW64\Bnofaf32.exe

Filesize
177KB

MD5
b7ee9664a91679a28813d056107fcb77

SHA1
e20171bd300518252a580dbb59e3fc256720eff0

SHA256
60acda9ce1582b50f4c0947e6d3e541e0e3bb33090b02fb55d5a030c439250a8

SHA512
fbc22af3983565ed30f2f65a0ec7caaae56188135082bb9545b9770f3d9626be2b94a1dcd71e0bd47331a70ea478514dadc8e15f170d0c8ff6fdc6a0af99e622

Download Submit
C:\Windows\SysWOW64\Clnehado.exe

Filesize
177KB

MD5
7ab66ea0d3153074e5a197c9e8bffbc5

SHA1
c405ca2905a5d68bac8ff60d23e2df684259c2d7

SHA256
eb89b1cef0ebf5a06943cc9bbf0e9f08ada80fd6299e3abf321ed5d82f78ac52

SHA512
94f4e3ad88b8a75500a8d7937e528ad56c08919e1236893f1bd6ce8f510937d5e5ead8a504314a520a584ff431780e1aef3f3da8c610deb84e2ba5a26f289c46

Download Submit
C:\Windows\SysWOW64\Cnflae32.exe

Filesize
177KB

MD5
268d76e802c96172d7dde1ecf228c89a

SHA1
e74162b03e3545c41114c51faa3a659241848023

SHA256
5c713b26f3edea2123b003edf0fa877c2218ae0a227dd677ed7bda760dc6ccd4

SHA512
071f8a9da26767856965dd282275f92e184506bbd0dfb36d19c02f875befdcef014d73b1807d7ae8255af49911a59caeb7f223efe88b64e6a2de95c69df7055d

Download Submit
C:\Windows\SysWOW64\Cnhhge32.exe

Filesize
177KB

MD5
11d23579277d15de5facd0294b5c0890

SHA1
360740c822d970f9b3540667ebf00a1a02be1626

SHA256
478d62b9d89e95b7c551d2db66cc79f0cbd631c326a1a933fb1a364997973b93

SHA512
a71d54a616908fda535c5bb1046e6e03d388553dd2873304c70fb6a746e8cec85e0118305ad4e0c20bdec3384c8f9ce6a69632115f160d9e6a0dacbf85742b74

Download Submit
C:\Windows\SysWOW64\Dfhgggim.exe

Filesize
177KB

MD5
3cd1eef13f14204a6414fc08e36ed87d

SHA1
291f58f8f0b5409cf5236f4a5fd2ee1f5a89c6d8

SHA256
ff903364aedaf719955daccb6307df90feb96e64c91dfd6bdf33deee033a584c

SHA512
f5bdf30f5d0a92b93f0cbb4be8508f1a2b0a034ab9a056e1c8988dd18349659669cfe7e368dc276cae3ff7af13b749deb3053d4d846a1e2bd57de1ab5bda3366

Download Submit
C:\Windows\SysWOW64\Dfkclf32.exe

Filesize
177KB

MD5
e2948772d657cb6128c9cdc97ef49a59

SHA1
27c7da05876345db8e69a8a39b8f8a9d5f635d2a

SHA256
6da9390376bbc605c184c56f2eec22cf66667fc095a123e428de5699080bc6d9

SHA512
df650e24c027f7fefc6fbcbb840e21b8e0daa8ac4730401a3d6c005e89dd729e6f2ab7c0fda0d09bfcb2dd581132a47ff5e2c50193a32a434a72289c190819fc

Download Submit
C:\Windows\SysWOW64\Dgqion32.exe

Filesize
177KB

MD5
baf8a56521d070f46f9d503e2ab18490

SHA1
6092c522538b4f89aa154b1134b7842809360b93

SHA256
16a57ac1eb8d20138beb50cd17932f83f663be78ba17647edd69ed73acaaf5d8

SHA512
86e1853c5fa6e86188e53bf4da1c4dc56b45f7882bb67a4c24dee943bb7007cc643666aadac2e8e8f0c1971a8fcde80e5db41e82532648dde892e55f7d7e901e

Download Submit
C:\Windows\SysWOW64\Djafaf32.exe

Filesize
177KB

MD5
fa6d1b7ad9557bf3fbd6691c0196f8e0

SHA1
d76daf069f7dff86be7ac53ec52bf390c4d5d099

SHA256
52a9a30226ea8f23f1685dc259679b368eccd778f30e2b0fab446d67ab701d48

SHA512
5ce546b1660380be9adc734c08e0290db8788ead3e4bb78d6962eb26d46279c10c94eb38fda46f136c58839131619125a2df007e15c2083e39158fa52a5d9812

Download Submit
C:\Windows\SysWOW64\Dochelmj.exe

Filesize
177KB

MD5
ebff24882dbb95be1da505502c972d5b

SHA1
9cd4e6f0f49cede37f62c62da63feae52f2eac0e

SHA256
8bab15a9f1fd6d2ab5621cf98c5c3894fec1d6cd8156dce4ff24f49d662568f7

SHA512
726ee3d01976c5403d45d8b74cc413694719e77f9a9becf207763b941533f2a2993121995907c03676a48f9bcc0d46ac9859970d457e63f33f4f098b846e73af

Download Submit
C:\Windows\SysWOW64\Dqddmd32.exe

Filesize
177KB

MD5
4ecc7e647dc34a48b983208a5c8960f1

SHA1
6a1aeb22d93b697c1dd9b965183e3d6560afd63d

SHA256
64f1d32beeb17b571a22d4ae30d9a8f6edeacc9ba64bcbcd92781e64572cf918

SHA512
f4cb1a69a3f807fca8d6cd0086c0fe40864f05b255b051c1314498468a0856437faff119373fa5264389e38c06c0aeec0da81825a07ff606e511fafe56f085cb

Download Submit
C:\Windows\SysWOW64\Ebcmfj32.exe

Filesize
177KB

MD5
96828fe9cc980a25e97272b5ad05669e

SHA1
404631d8ec59d15e983c044491b4f8638589a273

SHA256
24199c491f61515735decfdd55c090d1b5020fe212fd01a5d1b3af4bad80470c

SHA512
c90fbdfb2a01b2fe49754d62d7a3902f02119cf0218a76c52ea819be382f495191ac9d94096a4c34f1b2f8b9005d6e437d04251b42ca37822e6073c53adb942b

Download Submit
C:\Windows\SysWOW64\Eddjhb32.exe

Filesize
177KB

MD5
f39f774d8cdd5ac17ceac6402101aec1

SHA1
ce1fda5fdb6bcf83fe34cece655d0eff00ff321e

SHA256
f7fe9e3fb7be6edd96dc639b8c075f3a25d0e2579e298ef71bd38170b2d48beb

SHA512
2520b71f788d8a6b1baf43b41921453e77ac58d5c7be91f494f531d3280ba46494c020ca9762f118bac3a997887d9ce7ad1876aef081fea5f8ce4ff1ef93e3a8

Download Submit
C:\Windows\SysWOW64\Efhcej32.exe

Filesize
177KB

MD5
72bada62c7cab2e2e16a63a9d14a8507

SHA1
304011dd10db1d26849917980dcd636ae081d3c7

SHA256
2ab87a1b89a6b685afc1e7b7c8bd0ab2f0e0ebe32e97180165a367d7f45c1850

SHA512
6b9b423d2ed36b46714318f119aff6a9559b8c0d1a46adff21afaab1d1119da6546bd906d131a7d290b0e4facce0851770e1f3c942e42bd9ecdffee02f517503

Download Submit
C:\Windows\SysWOW64\Egpena32.exe

Filesize
177KB

MD5
89b8419c278586cd15a1c8b402fd40c8

SHA1
3cc0447bf1128b281ff0270a67deb06492937ba1

SHA256
06d9da336ab3cb1011f1de20ccf066b77ea0e1e10cbfacae5775e47c2c2b1baf

SHA512
c583954a9a30073419a54554e7ef61430151d3ba76302c0050b48facd99f135288858ef0a81b25d9a3c99af38761f6b0ba260a4aacd8ffa353bd447874c89653

Download Submit
C:\Windows\SysWOW64\Eikimeff.exe

Filesize
177KB

MD5
19e9377c4db47e1202909ce3f5a00261

SHA1
6f5114e62313fc27e63e991a95e23a91e6bbe74c

SHA256
1c007c08d207c456918f463b1435624754903a1a41a31de2f29cd40ca1fdd728

SHA512
20ebac6cd683fab06907803d8445db27c9ee5be720ee4025883f449db7b244e3b1ad09d5f60a5ba26b3fa828d5ff41734ed859fc22382e464c813450bac27854

Download Submit
C:\Windows\SysWOW64\Epcddopf.exe

Filesize
177KB

MD5
20b1b46931166408d864f3675298978e

SHA1
90b12e89de3b9b331fa07f4f9b16e0eccc704f4d

SHA256
9fa7e297a5c1f1bacf5907da7bb17228684ba46d18bd5502ee0b13130dc233f6

SHA512
24af7d6b1f1cdf58594f0987cd3a7cd72346f67cb5c184a443ff54ba6d3fccac9d109ccea257d86dc80e9b69eb7987e975d311ae7be6550b36caa8852b7629e9

Download Submit
C:\Windows\SysWOW64\Eqngcc32.exe

Filesize
177KB

MD5
1b945785ed5ff843b96215d69330f6bf

SHA1
98ada473af05d44adec15382138617e9c5d89aed

SHA256
2bfddb9501a637940cf8ee74dbb4d9473d4f5b1663c23a34280c7da69a2a7a0f

SHA512
82c33105dfa218575ab7b785b22f1b95b412bf577183820b231c62e7683a1310e96cf2502d6c9cad886509f9e6c114ac5f8b973c54a5f5432808440819643416

Download Submit
C:\Windows\SysWOW64\Fbfjkj32.exe

Filesize
177KB

MD5
9168d0c92a069e6225793f6cc833c670

SHA1
8f73d2d02d19ad0ed399951b92794f5d746fa7fb

SHA256
b2c0d3ef8baf0bf5f521a15aa972493dcd983b660413987e8ecd45f18e84752d

SHA512
8a48564c75e6333b0b2a8168831a4a13f1504bc0088abcce9f8a8dc3fcdc047209f20f62b3ea8c23fd9f0746b6d8b6988618879926a00cdcf19d1dffa872e9b7

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
177KB

MD5
b8960e7f058d5e4b5a444abd9a6fac67

SHA1
58cd3309f09cd6b8a8eb6f0d3fb58a88c3876439

SHA256
65a62620d97ea0224cab5205430d5ab562d10fb5d5421d72afaa2b2bcd616798

SHA512
9b2cb0a5578c301d3927fd13956d1d058c4cd34a04d7ea451472cc59519a3276255cabdaff5ed8bccb59aa857c6cac6c2eff7ce339b5e36c151305fce3174fdd

Download Submit
C:\Windows\SysWOW64\Jcikog32.exe

Filesize
177KB

MD5
b532331d8e4063878032440bd1a7007c

SHA1
281365701b7c2c18ce2163749668a7d7d644f146

SHA256
41e6222eb71c918d960829d6a12b66596b51fa41967b6f3edfcc25236b19d272

SHA512
8eb404272307cb3d5dd9e534b8d96c71da1b8851525e256f9aef4f75f6f109a7bc4030aa892a87b42d0fe826ebd3706edbafcb6e9232c3944b15848cf16f9d8d

Download Submit
C:\Windows\SysWOW64\Lilfgq32.exe

Filesize
177KB

MD5
9caaa59c5a63039d44fed8746f4a5734

SHA1
13c652d67afa7610836bd15d7cd3b78ba27a00ef

SHA256
2873575f8f9cc5e91663f82dc7b47ae60b7e54d36e71807389feb6c39a165eb4

SHA512
605cb76f557820943654ea7dc8325d49ef3eeeacbc7c44cd34d86a014912646e11a6276ddaa9409d968738530f5e556cf9ba0c7ae88678ef28dd1b4c9ae77994

Download Submit
C:\Windows\SysWOW64\Nldahn32.exe

Filesize
177KB

MD5
59a44b226c4efd79367325c1906a4ede

SHA1
dc58fec1d5e5cc44a193ef80c351b03c9bdaab82

SHA256
52ddae7b98fffd7065d1d0a7e9784ca736f13693096211c561c492d8d27b1d29

SHA512
bd6086d79db6a733b6cd1d8e7775d933a7bbf3ef59dd2de87c570a3e8544e6d2301e8b11045f2351bbaea4bb8ddfb73b2351482395f6100f41e2acf642ca4b58

Download Submit
C:\Windows\SysWOW64\Oggeokoq.exe

Filesize
177KB

MD5
2908392a95b27bacbf6af0210f8fd2b8

SHA1
9abb0e0ce725115794d4d78de8d63cc14b22d150

SHA256
4f6edfa008772de1a1169e5b6e2348cea663a84b068810cd46bddd88fde5e148

SHA512
d9ccbbb1fba7687bc5f95df715a50a4fb23896f29caa9f7804deb5b798a8d31aa6257f51f23fec54e5a74174e53d2761e3ada503474958aea124e903f9c62235

Download Submit
C:\Windows\SysWOW64\Oiokholk.exe

Filesize
177KB

MD5
25b1cb2502d0dd369cab769f919c9136

SHA1
82d208897a7dccd4755fbdd7f65ab556043ccd6e

SHA256
4b4b21b87f3e68f18700d350c3daed766c22cdd8205d4b84bd4495cca3ffedb0

SHA512
d2f1a037d57549cbbce3958cc7fe4e871be6fc9190ad2eb1a4c493bc012ce1b94cf6842791f85c0698ab695ea6889e018522a926f05a465353f9b51e266d2584

Download Submit
C:\Windows\SysWOW64\Okkkoj32.exe

Filesize
177KB

MD5
04dec58bbd134a605c9073fc51ae6040

SHA1
c40dab921cd40eb75cedf09f294ddab8c95b2604

SHA256
a3753024e1fe76bce3884bc24a949c8d85da626912315ae6c5c3c7c0ced04711

SHA512
0c8d9a334ef7e63730ef88fd8b556df10eb75a3ca97dbccd064388fbe16438d38a17b36859f5a22ff5e9698848a6747e15a9856ddff4aca81dd776be0ce39ab7

Download Submit
C:\Windows\SysWOW64\Okpdjjil.exe

Filesize
177KB

MD5
55b47d1263ea3abc146127ef5c5fa212

SHA1
c2bcbdc571f53cb3ea56fbb775750c89ffb6feb0

SHA256
ac14ed3d61a68bf37157a13550b0031df570f3ab3b73a8890b19d962653f4baa

SHA512
5250542cc13313dd0835a076954d48c812fe252e90d075c17fa045b7c0a2963a1068c862ce3e1e873aab5b89d7095c875d175f6df40630042596918fbbe6db78

Download Submit
C:\Windows\SysWOW64\Oqkpmaif.exe

Filesize
177KB

MD5
1264c67bc9edbe9fffd60cfc0aef6f06

SHA1
84f0b8c4129fbf84b1f609155ee801c50c47f767

SHA256
247a9e7ee2081f7338329fd52e006b7afdfbfecebb5be3f8b9934b5a0b3db2f4

SHA512
e9ad9375583f092a622ebf64c3a60cb9d990444951bc4322ee514b2f8d5d2fbadcc27d5aad77646d399c5f17d9541818c4cda2788a39870b6ccc3dbcf2953ea1

Download Submit
C:\Windows\SysWOW64\Padccpal.exe

Filesize
177KB

MD5
bf3157be19bb034d0aaabbeff702e77e

SHA1
4a0733491fa47248d9b5105a6735551b43ca170d

SHA256
2bb4cf01c17aec08dfeef06ab91a0d31403159420f44f1afae78f8b75511f703

SHA512
07e7f0e62d829e1bc91f2816706e3e8c12bc160321a3b70404c1a8718ebd3e6a79f4a56ffdaa0294d330b977c0ce24ca1a476fcf77fe213b61e3f14739118080

Download Submit
C:\Windows\SysWOW64\Pbjifgcd.exe

Filesize
177KB

MD5
bbac00d708e340458af6463e2a431b0e

SHA1
d951e430136a3cf470e485859ee1242770e2995d

SHA256
d058b7033108bafdb89d7e3721bbaa133152330a3ee07888d45e0d7558a3d89d

SHA512
5f1ff5f808b4dba0f03f62cb1d18c44256e0d2c4e336b75a33f15a799000b0109d57ccffe96f04b95541f83aa24504a1e7ff2a76fbee124c9a3e876c0c4ea8c2

Download Submit
C:\Windows\SysWOW64\Pcnfdl32.exe

Filesize
177KB

MD5
d43340b8f0f6be7ee1f1b8e3306ea13f

SHA1
3a6fce891dd72f76472b3911fc3dc0a29e5363af

SHA256
e29c2ea2b6cb00036d9962d8285a2b8678d2076cb2a631144e176500dfb281ff

SHA512
ab6790269d10cf7d82b9149bda6a27a7d10dfda3e1a76a76221811cc298820dc8243a26b7c1b2de73e8db4ec94046e437c362a7457c4ad3bbb06e5628c6ab0b1

Download Submit
C:\Windows\SysWOW64\Pcpbik32.exe

Filesize
177KB

MD5
c0b854b3818cc4db54da719e6aa9978b

SHA1
d94bea0d6927837d2e6c14dd8345a1098257685b

SHA256
c97f7c4affc8e710f8dba96812b4fbeaf9f67a0980add5192d7c0c3bfaca0ccb

SHA512
f5c33b62af41a85c115b749ca46246591d73fae3fefb12dea79a5b6d77e501599f9c1a1da9b3dbc93fbf5d498856dfa4953e5cbe8f8e16d74ad6f2bcd4ae5836

Download Submit
C:\Windows\SysWOW64\Pfchqf32.exe

Filesize
177KB

MD5
64da191fbab5b7f78cc8daba16038334

SHA1
2c2c8094575cad409786a00d3f169a05c1987d39

SHA256
93be4934631e194fa2083ad34aa3c4e8bc0e7d588bf6a05e80d96ada7cc021a4

SHA512
cd6abc49e13979004250c7927745c40ba981847384c92f5deb357f86255a35ab27fcbf3aa37d336f917a3815d366fdc0ab580adc4b0cd756c8878518037b41d2

Download Submit
C:\Windows\SysWOW64\Qblfkgqb.exe

Filesize
177KB

MD5
72ea207243e03b9c080e4d745975ee1f

SHA1
b5b3e046f50fa6d867043baa5378d498e8d7a2de

SHA256
7dbcd3f6a8b82acb6f544f9c25bccb18a997ba88b1ec7ecf33ed89051491ac69

SHA512
1226d73d40a4408827661acef09765bdb98a6b66d250d2cf8994167862fa41c613c8ca9ee09ebd4ef8d3fac97ce301310194f114ae029cc3d8851a4ffc308464

Download Submit
C:\Windows\SysWOW64\Qdpohodn.exe

Filesize
177KB

MD5
861b676cad238105d32e8aa712a2f87a

SHA1
38670d4fe88046f608d12c14d86cd20614220fdc

SHA256
6c1e12d54170e1013c03b7b60c27c21af0f5e69019897771565f45bbccccd77f

SHA512
f8a2f31b251f79298cd94245cbdc8c7fb49a16c351380a1a5ef31f31d8731c78511acca217c687074d3d2e689a1907681a188f76c7c90466e0194fa6f381f0f6

Download Submit
C:\Windows\SysWOW64\Qjgjpi32.exe

Filesize
177KB

MD5
56e24b37f214c85f6ac23cdd261cc5f0

SHA1
378acfeadae0190c7fdb47eff469659ce96317ae

SHA256
02ac41d5a7a3b4d2f7f2472808de0ce8dcee1788a5e2af7a1b7829518832759b

SHA512
36d01f16cce209f16649a24641f81b67ddc02fe0208f4f832e589e2e7fa3b377e864ca0e12e267d654cd2460a4b206f8bd33ee5cb660a2304fd689d34262e778

Download Submit
\Windows\SysWOW64\Jcfoihhp.exe

Filesize
177KB

MD5
6ac6004981590cca3d3c0d07007729d1

SHA1
c4659fe76fee963167f806ef2a03787f4c8c8376

SHA256
a7b76379f3d0b453663089fce41a27787e54abd2772b73fb25af8f776edbdcdd

SHA512
6e018201a0c3c23f5b898bb18ffc869b3177392f04807f0db4977b1ae1ac6178635b010def2c99c80a13de063b1a6ddd0c66ef32fa773c47d289a3d03090136b

Download Submit
\Windows\SysWOW64\Khojcj32.exe

Filesize
177KB

MD5
53568c05b3a65d8ca43fa70f731ec9f8

SHA1
23f35c15be68c1f325f8c862b3f87d31acd67059

SHA256
6aee0bfc021d6ccf30be9489c48f1e83bebe833ff02ebda309251b3a81954cf3

SHA512
b97df12595ba46327f0fd287e17d25068cd06c579a3dba033819113789c258ed930047e053e52d67c6f1f5d2e8eca2dfc795cc1db03d9b8dc50edd8076b8d62c

Download Submit
\Windows\SysWOW64\Kmficl32.exe

Filesize
177KB

MD5
34aa1dbf9188fb73f35c943c91272fa3

SHA1
5596c6cac9ad5a8d179343ee28c460212c064f54

SHA256
c2d61cc05955672f02a218d60ef8b7b81e133d59e6c251996ce4ef30e1ad7a88

SHA512
23c9e04bc6383069bd3921dc87bfd1049e3d375321f9e2c433ef7c8073d8ab9497c9180d2bbf568692ecd8db367749591d650ea44be294a9b073eeee1aad8cf8

Download Submit
\Windows\SysWOW64\Lbgkfbbj.exe

Filesize
177KB

MD5
95bfe132ce3a0e573fa5367724b53716

SHA1
30947cdb3a929791d221c0110070ff2e32a50347

SHA256
5e9eb35ec3b7be449f6d2988a24fe371983a0db6d6b994b30523582fab86316c

SHA512
cad67b1f1fe977b2299f897f972f3dfc237b4cf672299451505943befa42a1ea88d165da0e42e46495dff774cbfab0c4c134668a167ace604b9124f06540b11b

Download Submit
\Windows\SysWOW64\Lkelpd32.exe

Filesize
177KB

MD5
cf5b73374f04116ad7910c9f11ef24d5

SHA1
35fbfe80707076cd7593f20db8c6ad2a9f69c64c

SHA256
d01f0951723fc89af04efa9c3dab28479cdd8f40685bbf4661461137b3eb3063

SHA512
1714505532b4a88d1d6629dab9e7177439398130b5609f2055e30ceaa357f264b8ebf04daa8a45337ccd693438d31192a24b228a03bde5128e2e945a67badf97

Download Submit
\Windows\SysWOW64\Lpdankjg.exe

Filesize
177KB

MD5
ac4508e83f959da48804f6d83532890c

SHA1
1edbcc134d574c5bc44db2a0c3b96c57ba20e600

SHA256
ea2bf028c0fb3b06c23746a4823a354d9412a73c69a05716f1a5d9c64f8994a3

SHA512
7a501dad5b367e5744543d8e3275128caf9c72770e0d33770c79f2771205472e5c2c6f6426d36769450a75c8556f64f003843de0b8b4848c250c29683088e456

Download Submit
\Windows\SysWOW64\Mdmmhn32.exe

Filesize
177KB

MD5
36354bf15bb2b9ca336c1b100ac605fd

SHA1
fa65fccf025e71e099b1acb35782bde47092be83

SHA256
17b86239e81ea7385fc05b7ce6315b61b463c04540a29a315e32e4c0712d8557

SHA512
9e217f420c157d96d8f75a47010b50c9c0c76a887801813dbe39150994fc683f8ce4af3f78d41c0791fbbbb9594ff55988ba74c14c9400ec4507d0a45a6b1674

Download Submit
\Windows\SysWOW64\Miapbpmb.exe

Filesize
177KB

MD5
52b0770a4c7989527086d7db27ed52f0

SHA1
2ddebf165eb31801ce988fcc1752f4c2e3abb2f7

SHA256
9c20d0b6e6da10b88484434515f83bb2cec6a1bb1eb40e0ce1b4c146efef78b8

SHA512
7df708e12b452dd1416401f9dbcd93cf2ebaa721467a853f18992f999fef3c057de0b825cb64727406a4cddc8b2eaa0f3be9a8192b283886ef2ead9801f8c456

Download Submit
\Windows\SysWOW64\Mlahdkjc.exe

Filesize
177KB

MD5
bac01cb5233dafebc0610d81403c1268

SHA1
c5ea47afa7122443ed02f6ebeac7129f062e58ba

SHA256
3eee61d8e9e6f298100768e3d25f3841b932dd0ff75f64cba9edddb4bebe214d

SHA512
4009773bd2e82cc2b952b7dd8549b853f0173e35df1c5d6b6be3268dba31847c0a7f8126a1d4dbec61e407a2cd789ae257b650d0bb2ac22dc31a1565f1fe905b

Download Submit
\Windows\SysWOW64\Moenkf32.exe

Filesize
177KB

MD5
ebcedf3715b5372a7689e35564debfd8

SHA1
7fd5a0afe78b10fec1f6941e92ffd2b301e84d69

SHA256
413491f27ed15c15121e0dbddc484dd60f2fc06f46bf5ce6aa4e3d034dd3afc9

SHA512
c9239f8075e9e90736ea54dbe9a53d02226ae265805ee311bf435dd1331dbe8c8eacc6828c47eb820499c4e3b5eafce4fb76edfba7295a65752e753ea3b9f51a

Download Submit
\Windows\SysWOW64\Ndfpnl32.exe

Filesize
177KB

MD5
e73b10fe633409f936e66d23a27ee881

SHA1
cf742d4ecea159e8e2f45dcdb4d5c5be58a8988e

SHA256
506252b6dae89917cf5bd48c6861e6978c67229021b3b164105cfa5e656072cf

SHA512
f4e15ea74b16377aa27645db5b80c92043415aa8f8aa0184b0463020c55d6246c95da0160642d45e062dfb3c9c61fe7186cdfb2676ec7b3ef8167e43e98cf80e

Download Submit
\Windows\SysWOW64\Nnjklb32.exe

Filesize
177KB

MD5
665f13dfe28bbdb8622c900ba6b6bcdd

SHA1
f3a8f5e650b766e23b91158abf7b770cda5fc1c9

SHA256
e363002477774daa10a2ce08000291581d9551594c5d28876fe194f986273572

SHA512
401c5f70714d55bae7a3d463f7fd9839b716961d92506ca90f53d1d71cc3c0afc9e48b3e88ac4e065489d32c477f4f61605b10c04e8365cdba115269c219e813

Download Submit
\Windows\SysWOW64\Nnodgbed.exe

Filesize
177KB

MD5
43d735db781865db9dfd4d10d242462f

SHA1
cdf5e4273d5457dc43eea206eed0358c0d63c7a8

SHA256
f7dbad9830a49fa2580c94a7b8a763d56c51fc5840c4984303f8b34df5cfb2b7

SHA512
c50e0ddaa8857ac0e177c8beff88606c03677ebec2932699e62e23a7485e1d8d62aca8178d7452ba6b1586bd87cd8682e33d41efcbd6e830544c92e3d841ab51

Download Submit
memory/360-316-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/360-317-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/360-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/616-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/616-241-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/616-245-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/632-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/656-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/656-415-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/668-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1032-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1052-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1052-431-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1188-512-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1188-519-0x00000000002C0000-0x0000000000300000-memory.dmp

Filesize
256KB

Download
memory/1192-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1192-113-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/1192-452-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1192-118-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/1208-228-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1328-297-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1328-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1328-296-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1520-252-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1520-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-253-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1656-264-0x00000000002C0000-0x0000000000300000-memory.dmp

Filesize
256KB

Download
memory/1656-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-260-0x00000000002C0000-0x0000000000300000-memory.dmp

Filesize
256KB

Download
memory/1736-308-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/1736-307-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/1736-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1856-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1892-446-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1908-275-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/1908-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1908-271-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/1916-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-390-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1920-35-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1920-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2032-445-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2036-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2080-513-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2080-516-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2080-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2080-197-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2092-470-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-476-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2092-477-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2112-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-404-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2176-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-365-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2180-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-219-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2328-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-507-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2344-167-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2344-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-326-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2432-330-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2448-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-61-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2496-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-341-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2648-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-343-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2692-48-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2692-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2724-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2724-6-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2724-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2724-12-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2804-140-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2804-484-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2804-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-471-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-285-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2848-286-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2932-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-77-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2960-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2972-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2992-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3016-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3016-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-352-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/3048-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-351-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads