72a1b699ccf5e7ec2af669a64376a14ae170d9aad51ff311d2df698857f889bc

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 22:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

72a1b699ccf5e7ec2af669a64376a14ae170d9aad51ff311d2df698857f889bc.exe
Size

64KB
MD5

384512414e3a5cf89cb476ca9b1cd904
SHA1

01b9f44ce5b67f5540b8fca19642686e2fb6d139
SHA256

72a1b699ccf5e7ec2af669a64376a14ae170d9aad51ff311d2df698857f889bc
SHA512

7d5e858147315ed498e0bae533bd43ef0bf3fcfabfd446eaf56c305a0584b13c53ba95992dd1d09c84011aff482765f3ff713f6dde0062dbe16b5d3144b07994
SSDEEP

1536:cdxcQFP2z6Q9OM9QGO/GVGFtVHSF/beO6XKhbMbt2:UxcQvQUMiG2GwTHACO6Xjt2

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loopdmpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdnebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medglemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclppboi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbalaoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbaehl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dedkogqm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afeban32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkcccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lamlphoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cefoni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpjompqc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qckfid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afeban32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpgjpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cplckbmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cplckbmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbalaoda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mddkbbfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcncodki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbdkhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmfqngcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obfhmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohqpjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odljjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obkahddl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aimhmkgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bipnihgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfnjbdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohncdobq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Debnjgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	72a1b699ccf5e7ec2af669a64376a14ae170d9aad51ff311d2df698857f889bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aioebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfoegm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noaeqjpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkhfek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okceaikl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcicjbal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dibdeegc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdngpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beoimjce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbaehl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mafofggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdqcenmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nchhfild.exe

Executes dropped EXE 64 IoCs

pid	Process
4124	Lhdggb32.exe
396	Lkcccn32.exe
3252	Loopdmpk.exe
3460	Lamlphoo.exe
2980	Lhgdmb32.exe
4272	Mlbpma32.exe
1216	Moalil32.exe
1976	Maoifh32.exe
3500	Mdnebc32.exe
1576	Mafofggd.exe
5096	Mddkbbfg.exe
1548	Mllccpfj.exe
1204	Medglemj.exe
404	Nlnpio32.exe
3220	Nchhfild.exe
4900	Ndidna32.exe
4828	Nkcmjlio.exe
3280	Namegfql.exe
2748	Nhgmcp32.exe
4768	Noaeqjpe.exe
3980	Ndnnianm.exe
4220	Nkhfek32.exe
2244	Nconfh32.exe
2616	Nfnjbdep.exe
2324	Nhlfoodc.exe
3084	Nbdkhe32.exe
872	Nfpghccm.exe
4796	Ohncdobq.exe
4620	Okmpqjad.exe
1332	Obfhmd32.exe
4416	Ohqpjo32.exe
4508	Okolfj32.exe
232	Obidcdfo.exe
4880	Odgqopeb.exe
1528	Oomelheh.exe
1708	Obkahddl.exe
4808	Oheienli.exe
4992	Okceaikl.exe
4348	Ocknbglo.exe
4284	Ofijnbkb.exe
3528	Odljjo32.exe
1432	Okfbgiij.exe
4216	Ocmjhfjl.exe
928	Pdngpo32.exe
3320	Pmeoqlpl.exe
2340	Pcpgmf32.exe
2792	Pdqcenmg.exe
3164	Pmhkflnj.exe
1416	Pofhbgmn.exe
4156	Pbddobla.exe
4224	Pecpknke.exe
2620	Piolkm32.exe
2868	Pkmhgh32.exe
2764	Pcdqhecd.exe
680	Peempn32.exe
2528	Piaiqlak.exe
3932	Pcfmneaa.exe
1328	Pehjfm32.exe
5064	Pkabbgol.exe
4092	Pcijce32.exe
4976	Pbljoafi.exe
2120	Qifbll32.exe
980	Qckfid32.exe
1588	Qfjcep32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Amfhgj32.exe	Aeopfl32.exe
File opened for modification	C:\Windows\SysWOW64\Afeban32.exe	Acgfec32.exe
File opened for modification	C:\Windows\SysWOW64\Bclppboi.exe	Bldgoeog.exe
File opened for modification	C:\Windows\SysWOW64\Dpjompqc.exe	Dedkogqm.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Ddhhbngi.exe
File created	C:\Windows\SysWOW64\Eeeibmnq.dll	Lkcccn32.exe
File created	C:\Windows\SysWOW64\Kefjdppe.dll	Mdnebc32.exe
File created	C:\Windows\SysWOW64\Knojng32.dll	Peempn32.exe
File created	C:\Windows\SysWOW64\Bmkjig32.exe	Bipnihgi.exe
File created	C:\Windows\SysWOW64\Ddqbbo32.exe	Dpefaq32.exe
File created	C:\Windows\SysWOW64\Dedkogqm.exe	Dpgbgpbe.exe
File opened for modification	C:\Windows\SysWOW64\Mllccpfj.exe	Mddkbbfg.exe
File opened for modification	C:\Windows\SysWOW64\Okolfj32.exe	Ohqpjo32.exe
File created	C:\Windows\SysWOW64\Pkjdhm32.dll	Abemep32.exe
File created	C:\Windows\SysWOW64\Edkamckh.dll	Pcdqhecd.exe
File created	C:\Windows\SysWOW64\Aeffgkkp.exe	Apimodmh.exe
File created	C:\Windows\SysWOW64\Lgkkbg32.dll	Cpifeb32.exe
File created	C:\Windows\SysWOW64\Gpngef32.dll	Ddqbbo32.exe
File opened for modification	C:\Windows\SysWOW64\Nfnjbdep.exe	Nconfh32.exe
File created	C:\Windows\SysWOW64\Okfbgiij.exe	Odljjo32.exe
File created	C:\Windows\SysWOW64\Pdngpo32.exe	Ocmjhfjl.exe
File created	C:\Windows\SysWOW64\Qecnjaee.dll	Cmbpjfij.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Ddhhbngi.exe
File created	C:\Windows\SysWOW64\Mkbdql32.dll	Ocknbglo.exe
File created	C:\Windows\SysWOW64\Dqjhif32.dll	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Lfijgnnj.dll	Cefoni32.exe
File created	C:\Windows\SysWOW64\Igqceh32.dll	Aioebj32.exe
File created	C:\Windows\SysWOW64\Clbdpc32.exe	Cplckbmc.exe
File opened for modification	C:\Windows\SysWOW64\Cdjlap32.exe	Clbdpc32.exe
File created	C:\Windows\SysWOW64\Dibdeegc.exe	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Loopdmpk.exe	Lkcccn32.exe
File opened for modification	C:\Windows\SysWOW64\Mlbpma32.exe	Lhgdmb32.exe
File created	C:\Windows\SysWOW64\Daliqjnc.dll	Pcfmneaa.exe
File opened for modification	C:\Windows\SysWOW64\Ddhhbngi.exe	Dlqpaafg.exe
File opened for modification	C:\Windows\SysWOW64\Piaiqlak.exe	Peempn32.exe
File opened for modification	C:\Windows\SysWOW64\Pehjfm32.exe	Pcfmneaa.exe
File created	C:\Windows\SysWOW64\Cojaijla.dll	Qifbll32.exe
File created	C:\Windows\SysWOW64\Paajfjdm.dll	Oheienli.exe
File opened for modification	C:\Windows\SysWOW64\Pdngpo32.exe	Ocmjhfjl.exe
File opened for modification	C:\Windows\SysWOW64\Pdqcenmg.exe	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Piolkm32.exe	Pecpknke.exe
File opened for modification	C:\Windows\SysWOW64\Qcncodki.exe	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Ohncdobq.exe	Nfpghccm.exe
File created	C:\Windows\SysWOW64\Eobdnbdn.dll	Okfbgiij.exe
File created	C:\Windows\SysWOW64\Lcoeiajc.dll	Pbddobla.exe
File created	C:\Windows\SysWOW64\Cefoni32.exe	Cpifeb32.exe
File opened for modification	C:\Windows\SysWOW64\Cfjeckpj.exe	Cmbpjfij.exe
File created	C:\Windows\SysWOW64\Dpjompqc.exe	Dedkogqm.exe
File created	C:\Windows\SysWOW64\Nffopp32.dll	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Cmonod32.dll	Dlqpaafg.exe
File created	C:\Windows\SysWOW64\Mlbpma32.exe	Lhgdmb32.exe
File created	C:\Windows\SysWOW64\Nlnpio32.exe	Medglemj.exe
File created	C:\Windows\SysWOW64\Chdjpphi.dll	Ofijnbkb.exe
File opened for modification	C:\Windows\SysWOW64\Mdnebc32.exe	Maoifh32.exe
File created	C:\Windows\SysWOW64\Mafofggd.exe	Mdnebc32.exe
File opened for modification	C:\Windows\SysWOW64\Pmeoqlpl.exe	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Qifbll32.exe	Pbljoafi.exe
File opened for modification	C:\Windows\SysWOW64\Apgqie32.exe	Aimhmkgn.exe
File opened for modification	C:\Windows\SysWOW64\Lhdggb32.exe	72a1b699ccf5e7ec2af669a64376a14ae170d9aad51ff311d2df698857f889bc.exe
File created	C:\Windows\SysWOW64\Alinebli.dll	72a1b699ccf5e7ec2af669a64376a14ae170d9aad51ff311d2df698857f889bc.exe
File created	C:\Windows\SysWOW64\Lkcccn32.exe	Lhdggb32.exe
File opened for modification	C:\Windows\SysWOW64\Dedkogqm.exe	Dpgbgpbe.exe
File opened for modification	C:\Windows\SysWOW64\Odljjo32.exe	Ofijnbkb.exe
File opened for modification	C:\Windows\SysWOW64\Pofhbgmn.exe	Pmhkflnj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6208	5188	WerFault.exe	213

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moalil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjlap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfjeckpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimhmkgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmfqngcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcila32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dedkogqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohncdobq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbddobla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclppboi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndidna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhgmcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bifkcioc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipnihgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhkflnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bldgoeog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofijnbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckfid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cplckbmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhdggb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obfhmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cefoni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpgbgpbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afeban32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbdkhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfbgiij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bihhhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obkahddl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Almanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpefaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Debnjgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loopdmpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgdmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okolfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjompqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amoknh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfjllnnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkcmjlio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgqopeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomelheh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfmneaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkhfek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammnhilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcpika32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mafofggd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfnjbdep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmjhfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmeoqlpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecpknke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nconfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocknbglo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcnleb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbalaoda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medglemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqhecd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfoegm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okceaikl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcfmneaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecnjaee.dll"	Cmbpjfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdnebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdejagg.dll"	Ndidna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haafdi32.dll"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkhfek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okolfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfidek32.dll"	Lhgdmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjmqdci.dll"	Amoknh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpcila32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcdqhecd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbdmc32.dll"	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojaijla.dll"	Qifbll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acppddig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckjdhni.dll"	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aioebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkcccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgfaf32.dll"	Namegfql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abohmm32.dll"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mejcig32.dll"	Nfnjbdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlqgpnjq.dll"	Pdqcenmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pofhbgmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbalaoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgfdkj32.dll"	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnmfk32.dll"	Medglemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoeiajc.dll"	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoglp32.dll"	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicfep32.dll"	Cmgjee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loopdmpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obidcdfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocmjhfjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpjompqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmfqngcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	72a1b699ccf5e7ec2af669a64376a14ae170d9aad51ff311d2df698857f889bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjijdf32.dll"	Loopdmpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kchhih32.dll"	Maoifh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkhikf32.dll"	Pcpgmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Ddhhbngi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maoifh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmnibme.dll"	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bipnihgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkbdql32.dll"	Ocknbglo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmeoqlpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aioebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmonod32.dll"	Dlqpaafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igqceh32.dll"	Aioebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddhhbngi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kannaq32.dll"	Piaiqlak.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 4124	5028	72a1b699ccf5e7ec2af669a64376a14ae170d9aad51ff311d2df698857f889bc.exe	90
PID 5028 wrote to memory of 4124	5028	72a1b699ccf5e7ec2af669a64376a14ae170d9aad51ff311d2df698857f889bc.exe	90
PID 5028 wrote to memory of 4124	5028	72a1b699ccf5e7ec2af669a64376a14ae170d9aad51ff311d2df698857f889bc.exe	90
PID 4124 wrote to memory of 396	4124	Lhdggb32.exe	91
PID 4124 wrote to memory of 396	4124	Lhdggb32.exe	91
PID 4124 wrote to memory of 396	4124	Lhdggb32.exe	91
PID 396 wrote to memory of 3252	396	Lkcccn32.exe	93
PID 396 wrote to memory of 3252	396	Lkcccn32.exe	93
PID 396 wrote to memory of 3252	396	Lkcccn32.exe	93
PID 3252 wrote to memory of 3460	3252	Loopdmpk.exe	94
PID 3252 wrote to memory of 3460	3252	Loopdmpk.exe	94
PID 3252 wrote to memory of 3460	3252	Loopdmpk.exe	94
PID 3460 wrote to memory of 2980	3460	Lamlphoo.exe	96
PID 3460 wrote to memory of 2980	3460	Lamlphoo.exe	96
PID 3460 wrote to memory of 2980	3460	Lamlphoo.exe	96
PID 2980 wrote to memory of 4272	2980	Lhgdmb32.exe	97
PID 2980 wrote to memory of 4272	2980	Lhgdmb32.exe	97
PID 2980 wrote to memory of 4272	2980	Lhgdmb32.exe	97
PID 4272 wrote to memory of 1216	4272	Mlbpma32.exe	98
PID 4272 wrote to memory of 1216	4272	Mlbpma32.exe	98
PID 4272 wrote to memory of 1216	4272	Mlbpma32.exe	98
PID 1216 wrote to memory of 1976	1216	Moalil32.exe	99
PID 1216 wrote to memory of 1976	1216	Moalil32.exe	99
PID 1216 wrote to memory of 1976	1216	Moalil32.exe	99
PID 1976 wrote to memory of 3500	1976	Maoifh32.exe	100
PID 1976 wrote to memory of 3500	1976	Maoifh32.exe	100
PID 1976 wrote to memory of 3500	1976	Maoifh32.exe	100
PID 3500 wrote to memory of 1576	3500	Mdnebc32.exe	101
PID 3500 wrote to memory of 1576	3500	Mdnebc32.exe	101
PID 3500 wrote to memory of 1576	3500	Mdnebc32.exe	101
PID 1576 wrote to memory of 5096	1576	Mafofggd.exe	103
PID 1576 wrote to memory of 5096	1576	Mafofggd.exe	103
PID 1576 wrote to memory of 5096	1576	Mafofggd.exe	103
PID 5096 wrote to memory of 1548	5096	Mddkbbfg.exe	104
PID 5096 wrote to memory of 1548	5096	Mddkbbfg.exe	104
PID 5096 wrote to memory of 1548	5096	Mddkbbfg.exe	104
PID 1548 wrote to memory of 1204	1548	Mllccpfj.exe	105
PID 1548 wrote to memory of 1204	1548	Mllccpfj.exe	105
PID 1548 wrote to memory of 1204	1548	Mllccpfj.exe	105
PID 1204 wrote to memory of 404	1204	Medglemj.exe	106
PID 1204 wrote to memory of 404	1204	Medglemj.exe	106
PID 1204 wrote to memory of 404	1204	Medglemj.exe	106
PID 404 wrote to memory of 3220	404	Nlnpio32.exe	107
PID 404 wrote to memory of 3220	404	Nlnpio32.exe	107
PID 404 wrote to memory of 3220	404	Nlnpio32.exe	107
PID 3220 wrote to memory of 4900	3220	Nchhfild.exe	108
PID 3220 wrote to memory of 4900	3220	Nchhfild.exe	108
PID 3220 wrote to memory of 4900	3220	Nchhfild.exe	108
PID 4900 wrote to memory of 4828	4900	Ndidna32.exe	109
PID 4900 wrote to memory of 4828	4900	Ndidna32.exe	109
PID 4900 wrote to memory of 4828	4900	Ndidna32.exe	109
PID 4828 wrote to memory of 3280	4828	Nkcmjlio.exe	110
PID 4828 wrote to memory of 3280	4828	Nkcmjlio.exe	110
PID 4828 wrote to memory of 3280	4828	Nkcmjlio.exe	110
PID 3280 wrote to memory of 2748	3280	Namegfql.exe	111
PID 3280 wrote to memory of 2748	3280	Namegfql.exe	111
PID 3280 wrote to memory of 2748	3280	Namegfql.exe	111
PID 2748 wrote to memory of 4768	2748	Nhgmcp32.exe	112
PID 2748 wrote to memory of 4768	2748	Nhgmcp32.exe	112
PID 2748 wrote to memory of 4768	2748	Nhgmcp32.exe	112
PID 4768 wrote to memory of 3980	4768	Noaeqjpe.exe	113
PID 4768 wrote to memory of 3980	4768	Noaeqjpe.exe	113
PID 4768 wrote to memory of 3980	4768	Noaeqjpe.exe	113
PID 3980 wrote to memory of 4220	3980	Ndnnianm.exe	114

C:\Users\Admin\AppData\Local\Temp\72a1b699ccf5e7ec2af669a64376a14ae170d9aad51ff311d2df698857f889bc.exe
"C:\Users\Admin\AppData\Local\Temp\72a1b699ccf5e7ec2af669a64376a14ae170d9aad51ff311d2df698857f889bc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\SysWOW64\Lhdggb32.exe
  C:\Windows\system32\Lhdggb32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Windows\SysWOW64\Lkcccn32.exe
    C:\Windows\system32\Lkcccn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Windows\SysWOW64\Loopdmpk.exe
      C:\Windows\system32\Loopdmpk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3252
    - - C:\Windows\SysWOW64\Lamlphoo.exe
        
        C:\Windows\system32\Lamlphoo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3460
      - C:\Windows\SysWOW64\Lhgdmb32.exe
        
        C:\Windows\system32\Lhgdmb32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Mlbpma32.exe
        
        C:\Windows\system32\Mlbpma32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Moalil32.exe
        
        C:\Windows\system32\Moalil32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Mllccpfj.exe
        
        C:\Windows\system32\Mllccpfj.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        30⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:928
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        53⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        54⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:680
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Qckfid32.exe
        
        C:\Windows\system32\Qckfid32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        66⤵
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        69⤵
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Aimhmkgn.exe
        
        C:\Windows\system32\Aimhmkgn.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\Apgqie32.exe
        
        C:\Windows\system32\Apgqie32.exe
        73⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Abemep32.exe
        
        C:\Windows\system32\Abemep32.exe
        74⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Almanf32.exe
        
        C:\Windows\system32\Almanf32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        77⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Aeffgkkp.exe
        
        C:\Windows\system32\Aeffgkkp.exe
        78⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Ammnhilb.exe
        
        C:\Windows\system32\Ammnhilb.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Acgfec32.exe
        
        C:\Windows\system32\Acgfec32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Afeban32.exe
        
        C:\Windows\system32\Afeban32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\Amoknh32.exe
        
        C:\Windows\system32\Amoknh32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Bcicjbal.exe
        
        C:\Windows\system32\Bcicjbal.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Bifkcioc.exe
        
        C:\Windows\system32\Bifkcioc.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Bldgoeog.exe
        
        C:\Windows\system32\Bldgoeog.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Bclppboi.exe
        
        C:\Windows\system32\Bclppboi.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\Bfjllnnm.exe
        
        C:\Windows\system32\Bfjllnnm.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Bihhhi32.exe
        
        C:\Windows\system32\Bihhhi32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Bcnleb32.exe
        
        C:\Windows\system32\Bcnleb32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\Bbalaoda.exe
        
        C:\Windows\system32\Bbalaoda.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Beoimjce.exe
        
        C:\Windows\system32\Beoimjce.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Bmfqngcg.exe
        
        C:\Windows\system32\Bmfqngcg.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Bcpika32.exe
        
        C:\Windows\system32\Bcpika32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\Bfoegm32.exe
        
        C:\Windows\system32\Bfoegm32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Bimach32.exe
        
        C:\Windows\system32\Bimach32.exe
        95⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Bpgjpb32.exe
        
        C:\Windows\system32\Bpgjpb32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Bipnihgi.exe
        
        C:\Windows\system32\Bipnihgi.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Bmkjig32.exe
        
        C:\Windows\system32\Bmkjig32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Cpifeb32.exe
        
        C:\Windows\system32\Cpifeb32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Cefoni32.exe
        
        C:\Windows\system32\Cefoni32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Clbdpc32.exe
        
        C:\Windows\system32\Clbdpc32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Cdjlap32.exe
        
        C:\Windows\system32\Cdjlap32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Cmbpjfij.exe
        
        C:\Windows\system32\Cmbpjfij.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Dedkogqm.exe
        
        C:\Windows\system32\Dedkogqm.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        115⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5500
        
        C:\Windows\SysWOW64\Dlqpaafg.exe
        
        C:\Windows\system32\Dlqpaafg.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Ddhhbngi.exe
        
        C:\Windows\system32\Ddhhbngi.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        119⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 400
        120⤵
        Program crash
        
        PID:6208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5188 -ip 5188
1⤵
PID:5960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4404,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:6632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aioebj32.exe

Filesize
64KB

MD5
b660fe0ddf5ff58c1585aed7824ad57b

SHA1
e84232ea51319e92a76ef189d405e90b3472c5c1

SHA256
b8bd5da64bba1ef96886eaec06e331efe5be4d6b3e909e4a4213c8df0e014d86

SHA512
1ebf44353ac7323704f7779d61beaab4675431c2f41c1aa885134bca6287f3e092debe5b11485e0cb66209036b8e0e5b48246abf8f0fe6f210e62ff2ff1dca10

Download Submit
C:\Windows\SysWOW64\Apimodmh.exe

Filesize
64KB

MD5
3ec2ec1f746b18250aea7c07ffee4f6e

SHA1
fe760aa233937f93e34a14bc073deb4454e51cbf

SHA256
8ee696c0d134c5b7af7c8eda57a21bb74c9b82b13b31c81d3d1e5651ab9be6ff

SHA512
ff8aa1bd2e36c2f78568e1179a18cce0f66b75f877ba901ee5a783c1b39a482a8e3ad4321aa82912852628f6d42250756a1143f36254f163073fa54b055a360b

Download Submit
C:\Windows\SysWOW64\Bpgjpb32.exe

Filesize
64KB

MD5
d75c08d2b460bd024415476e6d500cf5

SHA1
7b903b597a4392df7eb802164dbd116ad136bfe8

SHA256
5483e6472aa7f9b48283d513727f018f2ad6a9bd6552b52cefc50a4088e3fdac

SHA512
50e628cefc87446696debe4330c5b86ba14a159d4459a91bc3346fd9faac411301b02ce6a437df0ca816b2ceb917c9987f427294d3e17e5716b623304f9177d1

Download Submit
C:\Windows\SysWOW64\Cmbpjfij.exe

Filesize
64KB

MD5
bf45f9e33df86f42d33814e3ad2dff0a

SHA1
7730affff2684bf1e3c7c718c6ae0856d7e9552f

SHA256
b5ac1bdee45268c62492a51045d68d34505d3b2df9e0629a04b44b8c33e2b96f

SHA512
462c1f3a9ecf7c4f1fed7ead22103799df5100bfc9131dcea944ccc9d3e7f7ae4c1ae01bffd71ad5c232bf0af68577e4347d63cf5c38185c7797d2709931da25

Download Submit
C:\Windows\SysWOW64\Cplckbmc.exe

Filesize
64KB

MD5
03877b0ff4045e8e1056e8d1d9ca1ad9

SHA1
727a8b6373b7f771d4b6a343cadacd065e8d24a8

SHA256
a27b54c566c05ce461ffe483d48aa63bf5858e31390aac27f1cb5c7698c644ba

SHA512
e626cb584e76c63a16bd352f5539ed1d0c167a569198a3486da3e942ef51d530a98f52daf66c5e2ff781295b74a391660cbbdb700fb064b47b428e0294daf6f1

Download Submit
C:\Windows\SysWOW64\Lamlphoo.exe

Filesize
64KB

MD5
bf3fc29a68e58e89e5ef245f7d22caaf

SHA1
2431633516cc3a461847de184284eef51e9696d3

SHA256
f115272b63b884c3834aa84c6f41c9b17a7b645202d77b71e01862410f11b0d8

SHA512
fc02f7ec01d86c01f64e6bb474ea8c32e715cd6d69e15a83b957f690aa67e550d3bbcc90150feb84a820c57b4f24c8ccfa847b2c755ac6cb218bf3285c1c4f4b

Download Submit
C:\Windows\SysWOW64\Lhdggb32.exe

Filesize
64KB

MD5
98fde4e82c90f36f0c78ed3dec26a655

SHA1
8f4452b303d29bfd818adceaf7f47c4f29d4737a

SHA256
7e0b62c99853fe5e7b04621687c1a481abcd077019b4a0df22594588ba3391ae

SHA512
7cc43d5fe6cb01c93e363abfb3af046f12bc95d7d52500fc810a5da263fd4c39ecf0716fcbc9be11f79c6b5a4594c95e8dd58f7a196fe5ab51f799a82744c33c

Download Submit
C:\Windows\SysWOW64\Lhgdmb32.exe

Filesize
64KB

MD5
97175c14984be644a0df9b92a50d9709

SHA1
648ab72c4c826e02724f9b8e24a4bef5bb4e31f7

SHA256
17ed4e75349903b64c79561dd8f84317c5a1bc4b2023290d25f69ed2e463e72a

SHA512
f759aa1cc5a1aadd532e1388b04aa7ffa228caf2ce06b459c12570afebe158daf70ff3b2fcd82d5bd8c6cb80a24c84dc4e5c1f92407579341d057f9c5b915df5

Download Submit
C:\Windows\SysWOW64\Lkcccn32.exe

Filesize
64KB

MD5
22403b26b9028d5faa86197b51896d0e

SHA1
d7a492bc20ecdd72616c57504dc8fbc44270ed04

SHA256
dd4634873817b91ba15772b5e465d1fa567849a77c84eae1c8a7b5dcf7a5a646

SHA512
42999d9e921d1d679761697121845840e430a9bccb1c3817a1776d2261d378f5f299bd9807685f76e8a7ee9c24164e0a789c9461e640867c731981a0542959cf

Download Submit
C:\Windows\SysWOW64\Loopdmpk.exe

Filesize
64KB

MD5
0164dff8f7b6a4b05c2f1b62380b7f41

SHA1
aac01c881f98b416d66c59d1168cc4e5d57db84b

SHA256
453f23731d327958a2d43b749e9c05fd694064f855ce6eab7d20c37ca1c4040a

SHA512
8bc50b62cebc19d41e7707d6c65374dfa02daa425d96db352abbe5d132ae3d85df9a341474d553eeae5cae0b871b6c03859d06e35cc62386ae731a698c98edf3

Download Submit
C:\Windows\SysWOW64\Mafofggd.exe

Filesize
64KB

MD5
03a50bc0b3579c16bdf12e1826675e76

SHA1
ec1d9dbdc5dc5465d38c650f3c6a377f07c72252

SHA256
e8d74d9ab436d1585abb41eb2c6d5d62035603f03362cd836428e960513c96ad

SHA512
0abbe186d6dc75769c7fb8463bae8e51d9a318f5c4f04822361e84a9fc1fca9c379eda0c3e44280fe61540f8f5ae9aad70d33aeec5e66e3d732046f17bf59f34

Download Submit
C:\Windows\SysWOW64\Maoifh32.exe

Filesize
64KB

MD5
059075b6b49da3017d1873723f53bbc4

SHA1
714a5f537a8c8a389220d429b97000c7075d8c42

SHA256
a444b8b5a5ae6bd20597c7eadf3df98d33408e33edcfc4c88ad54e233d14234a

SHA512
4d4f32123c6008e3e222504831be1dbf49b24f19ede361b9474a98c1bc0a1523d088e0ee2e3bc2754c571003b0bf0abba252ac188408271658aa0c3f098ea082

Download Submit
C:\Windows\SysWOW64\Mddkbbfg.exe

Filesize
64KB

MD5
ae4b3914c474182cc6cab078b74c727b

SHA1
7d594eeb08c19e484effeb97b03bfe1c6d639d7c

SHA256
150895e31d0c3240f1d335b5365b994e19e555825596930f57bf11365fe424ed

SHA512
c9131f562c1581f022e3d9bb217425acc58e58bc1fb8405434053fa7892f70c32b01b551b196115611672c138c9f7460600cf9886f760e66a83bd53cb3d54029

Download Submit
C:\Windows\SysWOW64\Mdnebc32.exe

Filesize
64KB

MD5
8cc41de4ef0fe42f8789f70b90a5e9a1

SHA1
33ba5aaea1bf37442f1c7a307b728ec9667a094e

SHA256
a35b0f36e05b35ffa8bec5169c5b6758b694d9b9ac2c6703565e8a1a0e2f5112

SHA512
3d581d4e2ac42d1c5ceb96cd29dd03aed5fc9015e271048a50c109a127fb3cf45d59ff828213c051d579ea7403580d04e36e2380ce795486b7da59ad79f28abb

Download Submit
C:\Windows\SysWOW64\Medglemj.exe

Filesize
64KB

MD5
d82129b691630934ccad59ec9cb4b36e

SHA1
4c168b881e0692459ccaa8cf84cffb897bb97ec9

SHA256
463a828b8034fe7c7e6709078474844be3fc09cfa13255b1cffb21de3f21bf39

SHA512
217eebf4ceb5695565bba3417deaa03c7143b520b2ed067546fa55457b8a029c1f992b0ff7726d791c888dd737e67975a9612b2c1f13e26f69169da0df4c614f

Download Submit
C:\Windows\SysWOW64\Mlbpma32.exe

Filesize
64KB

MD5
7f69862fdf45739362cc0cef52339796

SHA1
8d57dc2b20b54b6a9653faba7d50b2dfe2f71c64

SHA256
84c9ab6270e75b0c4e265e80a29265fccd50575b81e99d94a40364de7e3a72a7

SHA512
4b67033d2e3e66ff3fd040131e161b5d7fd63e03b0d8b54f0b930c422a937b74960956dd8c8961c49169054f33df031ea91f0e5091da2f7e2cdab87da2594c16

Download Submit
C:\Windows\SysWOW64\Mllccpfj.exe

Filesize
64KB

MD5
be896c336d686b1d9a4ffc208a053f13

SHA1
b7c7d072625d0e87dfe95769276036bccfdb6489

SHA256
985f0cc44cdb18ac3168cf41d406f9c99fe2d20446a76f8130dc1ca6b4c7a36e

SHA512
53b6a14529651af238ad5e0507c130b78b2a19c16e8159811476930b5556509713dcd1b1de172e7052aa48d754258b0755cb2d7568087056160e8d1e717a8732

Download Submit
C:\Windows\SysWOW64\Moalil32.exe

Filesize
64KB

MD5
61e34ca27742fc9e51a453af02c6967e

SHA1
da6bc4af716b63b47a1031e5c60d361de81ff7f5

SHA256
d6070458006ae5eb8aeb3989061ab5402ba5307c4d4286fa554ff2e6667021eb

SHA512
a7937330636bad405e317596492e9ae8c09830d724c894dba5c7f06765a4f975c2531cb7d572eae7eb7d8b15eb1c5fb44061ba5dd0a5b57f374be48809349342

Download Submit
C:\Windows\SysWOW64\Namegfql.exe

Filesize
64KB

MD5
f0b7b331b560a9e68361bae67acaeeca

SHA1
41693dedadfa4834695424e90dc1fe83192a7768

SHA256
4e9044c76f7f2f09411446764055f630a84695feca0cff4875bcf774f0950e24

SHA512
ea9496e38e2283cb21f608f3673237657e6d2bf8e294179fbbc11aeacc34931b2c7dbd182a3aeda32f941ec20bbc75727a059b9b7f166b04e8415990e1a4fb05

Download Submit
C:\Windows\SysWOW64\Nbdkhe32.exe

Filesize
64KB

MD5
f71132e7e5456a5b88099d9609214ac1

SHA1
4c81fe7da3197a416a7c35c5d0b2c9a856153a7f

SHA256
bbc556893136328295ea9bf1c2a29cfce22f08154d78479a7098b8d7c08faa26

SHA512
65cc844108a1581f97d8a7777eca5a17d4597f9ceb3c8fe1ed6449187ce7c8ab1d6c23209ad231159450adcc941abb4bf40e5f4dc3138c2343e852b97228860d

Download Submit
C:\Windows\SysWOW64\Nchhfild.exe

Filesize
64KB

MD5
c1cd3e6a167dfbde2c3fcd64bb04967f

SHA1
b63e98d3d9da0e53efa2a67326d55adc864dfc0b

SHA256
589f5938fb8f27905252333743b36e447d6ae6687fc70a1fd447b55748cf1589

SHA512
c12688924e4e15a7a974964aca2b5b10c6a897b9bd4806a5458d647bc8a66736daacece03baac1f164e8e36af5c370c451431bcfd503129ea17ab07e64a481c8

Download Submit
C:\Windows\SysWOW64\Nconfh32.exe

Filesize
64KB

MD5
5d51eeaedccc2fbf1a6cb2a559349d13

SHA1
3f2ca855b07867429418cc4363df6d30914c8e2c

SHA256
5614fcbdd91345ab7001fa4dc86c0a1fd39c9eb8e0d98167789de20d860bec47

SHA512
1a3c82dbc60cd75744a3ae32abd159d2a78bb1a737d2c070f0f76f1f3e8cdcdbd8a5a1b1e53a2e22185bcab39256ae1fc46815d5b043902d2e0fcecabf85c850

Download Submit
C:\Windows\SysWOW64\Ndidna32.exe

Filesize
64KB

MD5
519cebdcd67829ff9de093e73b445023

SHA1
b1c0e739fc892975f9f5201d180b49cddba61048

SHA256
ea1ef821edf72eb01239c22b9201d6e409ca4359aeb4735053d43ca1fb696c9a

SHA512
a7c04e5d2f9c4178067c88081ea63e117f4c21f4f92b29aaa47f7a4d4ad5aa46fb18435b785ea013e8e248d64392ab1f0797ca6fe5ab7e2cecb1e0236fcc46ae

Download Submit
C:\Windows\SysWOW64\Ndnnianm.exe

Filesize
64KB

MD5
fe10e5c59ecc6dcab5af74cbe71bae9a

SHA1
70ba423a3bc260460cac7abd42c874b217d68387

SHA256
9d4ead76a6190ab010932cfb241bbe55ac18e31dcdae488776617e256130a2fc

SHA512
cb14067e6eb3ae89a66a7234411385a436a105ce37f482f40c3741596c59364cb2a663bd09f9715b9f8e981303e3f2e963ec5cc060a930437581650a1e17f229

Download Submit
C:\Windows\SysWOW64\Nfnjbdep.exe

Filesize
64KB

MD5
b22dc3808845558588eabcfa74a6c773

SHA1
e3eab13ead56d3b605e09950958ead4510b4de06

SHA256
bbc8af7309662a8846e08302c949532b4b5563b82b12a2baf381c7bddea79e52

SHA512
2e12156feab6176144b20663368e491a10dc94e59ac882de9a3e18ceb7537de8b0613c0dc49c25aaf4904f1fe733dada0994ca19e606f717e1b104ac5fd230c4

Download Submit
C:\Windows\SysWOW64\Nfpghccm.exe

Filesize
64KB

MD5
681e7dc605c246dca48234aefef2b8f0

SHA1
7b6d78cef94178f652266186322e2e392baa318b

SHA256
addf84bef66ad4f112566fb33203f22dc8905ceec4b38296189e47e3961ce7e7

SHA512
28cf720e41a54120e1d719766e579c4a8811769611daa63d2372acb5f3737eaec6a2f99e627ec61ac652e981ecfd47c51273330795cd04ebf01a389d2774318a

Download Submit
C:\Windows\SysWOW64\Nhgmcp32.exe

Filesize
64KB

MD5
57b47d1ac385695e586df7ed84ef3e77

SHA1
268f7e9e4252ecd1c7f730e510924bb22fcedb17

SHA256
e151155eba688063167ca3817193d0439bc16cf6aaf7858d82885b8829d5cd9f

SHA512
99adecb56b9076076caf8aa3a749d998f46b253c39cd697a15d0c2809cb8f981058ff97fd756f452708ee33f6321d6b41b2a59de9f8e4c8ca79192f2059048af

Download Submit
C:\Windows\SysWOW64\Nhlfoodc.exe

Filesize
64KB

MD5
65d7f35f305cf5c7f70e7703db092334

SHA1
166d88e8ffe49b98b3a3235ee56f1c32a4c32f19

SHA256
55a5360f8102cf201f92ace574ab1b44659c3e988f4193d3fbc58446379090d3

SHA512
022708c6f8364820e51f94cb889a3417af88f6df63a32272892d0b192eb2440caf22c6187b52c48ff76e7ecc200f25cb2868ea15e298355ed893a5235771ddd9

Download Submit
C:\Windows\SysWOW64\Nkcmjlio.exe

Filesize
64KB

MD5
28ba1af09596990395c9a9038bced232

SHA1
ebdb164741ab524ccc5edd8daa57fe1db249fcb5

SHA256
2df52fe24fe14542b8e31a6cecb1732e4dea2a70aec171230adddfc2e25892f9

SHA512
1aff901b4a504759b5475a28f7e62a2c897962345e081b6bc8d60b7af26bab7a4bccf9cd044b28e26742207b459e3d1163931b4aa2dd5e36f2ccda9e2505e51d

Download Submit
C:\Windows\SysWOW64\Nkhfek32.exe

Filesize
64KB

MD5
5960d36e2a9d59a029d2ccd14d04b578

SHA1
407f8e8666c38fa936f8d36e59c087a84ab9e9ea

SHA256
ea4f6a88236152525525e14062530dccea06ad4a0614e762ff7c2bca0f570cda

SHA512
1878cb296b545bde148649d7de505595e74acb1a1188e9825ff9c6c5fcf7712a53e160c285a862cfa4fc3111346b5973c28980ba53de9581c6d41c1f166b585f

Download Submit
C:\Windows\SysWOW64\Nlnpio32.exe

Filesize
64KB

MD5
055103034f02dffa8bc5c825d57219d6

SHA1
fe030c3b8ac159cff369702a7955e579fdc2f242

SHA256
adbfa15f511fe2889451410b91c133faa9274cfedbf862f68e84569fcea0aa38

SHA512
d431df0abb154cf7473ce0b92933272af4343a7841b9f01a539d86edda0231c4b7b76c806bb72fb88fe677daa9fe42b35c8b31302347bc6cc145684f21b145ee

Download Submit
C:\Windows\SysWOW64\Noaeqjpe.exe

Filesize
64KB

MD5
ba58a8a3204196bbddee0b1531efb791

SHA1
6aba53c45b7c4e2928411cc81005a15736c920eb

SHA256
1c2a511941a0e5e79f0392880d614cd47d7f74547fa72d88a5f331b04c75f801

SHA512
183a230b1e3fa19de8a9b79f1873e8f694f1026fdf774c1ad771f89783a4e4a115b5969238442e10df8387bc658f2307fb072b8db15480d68b77cca0e3fbc09b

Download Submit
C:\Windows\SysWOW64\Obfhmd32.exe

Filesize
64KB

MD5
30a4219ee42f2b8c80f62639bd8abbb2

SHA1
40cd6dea06a1f680880825f5fb02ce5c00a0b078

SHA256
8cf4801a5943b4876e7fc07cbe775e396d2010fcbc688a967e7ad64808e3d8bb

SHA512
cdfbfed15c2c2dc872add809db653800286d71e9eff2adf4e6f694297672e7b2dd6e5fdd1ac937b48d7b233432d80396242139c3bbec4059ad1e18428a7198e2

Download Submit
C:\Windows\SysWOW64\Obkahddl.exe

Filesize
64KB

MD5
fe16d4b51fcd5a74271b5bc25b9dda39

SHA1
e3031c4c39a43f2487e30d4cf2e82d3740d41a6b

SHA256
731c62774f73603864b93854aef3d12147ed1904058cebc465c8f7b73a7273e2

SHA512
e079e99346dd36cba41ddc7c32c3af2bf77036dbca967316ca44537b9fabc9ffc9b273913be3cc94b2d96a26f57ce901d17f1345241fdc06515b0550569c74e6

Download Submit
C:\Windows\SysWOW64\Ohncdobq.exe

Filesize
64KB

MD5
c8b07b36cad056ad539a4dd0736496bd

SHA1
76e073b82cf9c45ff3419d51e79ff0ab04c54b4a

SHA256
2b119edceb48ddb1ae217f3a650451e9292491a659e30c6b8aa95aa2a67ab004

SHA512
752dbf16657f345499e00966c91397f17d2f40d7b8a1c3393fdcb868ba5a1f6e06feb8a3d6958688bdf51d92d998e015ebd25ab862fd3d7c533d5c58a2dcbd98

Download Submit
C:\Windows\SysWOW64\Ohqpjo32.exe

Filesize
64KB

MD5
72c1a96d413036396461ce96f0b0df92

SHA1
4817e2c41ca5d846af67a61084b60f6990102a44

SHA256
c8e01416f14283ef86f417c268a29d62801c2dfa8b843144f9bbc8e4b410db85

SHA512
8846066bbb2ea4d002483781c371614df1585be871dda51d59808002eb50df6d136f78936663413278ca2b0cefe240156e07c883297f3dbab364fbf4dacaa243

Download Submit
C:\Windows\SysWOW64\Okmpqjad.exe

Filesize
64KB

MD5
6fe9ec2b9ce8b9ee8c4cd62d81922fed

SHA1
9a9cdbfc38764b765b19f0afda6fb6fd79105bfd

SHA256
b56d2ecb7d53d5aa513a06241f836450d56a1d477693c81b3433644133e1f24c

SHA512
7d563f616a8f20cb8be47a943cd737b1028e1e33d7b34d65e8f5671c40e07525e6c5d918e82ce648a3b89e6de5b95b6889e39fef7e4603a39e0abd5b86ba9cda

Download Submit
C:\Windows\SysWOW64\Okolfj32.exe

Filesize
64KB

MD5
df33649b645249150e6d2061cc34e907

SHA1
b99c40976f07d947b6869eded83e67cccf9fdbfe

SHA256
946df9667e7fcf350b91f806ac9d1818395199d3d9e0288c5a3706d9abaad076

SHA512
a6068b279a94ae76e43162ae559b68e7db1a5db83c2357a2fee57df6a5628255621c02f85c02cee89e129518bbf2ddae3280ff14a82f55e05d6e25b7c5387e8f

Download Submit
C:\Windows\SysWOW64\Qfjcep32.exe

Filesize
64KB

MD5
dfceb3300db0d185799ea96a549df37b

SHA1
719a41e61b4e7a50a2e6a194a6d623a003546f1d

SHA256
5ad92e45191d3f30cc3c556392d5c51b98e7f2523925bfeb1bd00cc2fa751d17

SHA512
7f359738b86feb8817d4f2fcc253ffdb939e3a2e96f426f0368801e66ae425204a7930157f339fc77da96eed827c2789d7724acb0b8325c7013f7d46167aa298

Download Submit
memory/232-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/680-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/928-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/980-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1204-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3280-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3320-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4124-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4124-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5160-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5200-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5240-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5280-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5320-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5360-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5400-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5440-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5480-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5520-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5560-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5600-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5640-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5680-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5724-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5768-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5812-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5856-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5900-584-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5944-591-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5988-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads