bebe9ef82b1636cf39cd5724d3f680c4e1b4edaaae7efc1dce2c721d5cf8b23e

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f954d70d6bf36d733dcc709afc4229a0N.exe
Size

94KB
MD5

f954d70d6bf36d733dcc709afc4229a0
SHA1

6e2eef881657f4d5ebf26d1cf4c24d4efac1929f
SHA256

bebe9ef82b1636cf39cd5724d3f680c4e1b4edaaae7efc1dce2c721d5cf8b23e
SHA512

ce979fdbd0a5acd3f6579972d13cbe8c49845d69008479e72c2eb31266eceba6c0583c677768ebfa4c35d90be9af5f66a9982c5ab417c05232f70563a5c29606
SSDEEP

1536:b7dJlwToAo/8N6sHDN9VX8ZApceC2LFS5DUHRbPa9b6i+sImo71+jqx:vl9/8NbjN9VXbptPFS5DSCopsIm81+jE

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbefln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cemeoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afqifo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oohkai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbalaoda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpifeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkdohg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeffgkkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdqcenmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aealll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f954d70d6bf36d733dcc709afc4229a0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apngjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndpjnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbddobla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cidgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nocbfjmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alpnde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oloipmfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bldgoeog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcfkpjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bboplo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alkeifga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cemeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f954d70d6bf36d733dcc709afc4229a0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ollljmhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhpgca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomelheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidomjaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlqpaafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpcdfll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbaehl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbgnecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhknhabf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oloipmfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bblcfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhknhabf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okfbgiij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bliajd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bliajd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alpnde32.exe

Executes dropped EXE 64 IoCs

pid	Process
436	Maoifh32.exe
2024	Mhiabbdi.exe
2412	Mcoepkdo.exe
1908	Mhknhabf.exe
3008	Mcabej32.exe
2352	Mepnaf32.exe
2540	Mlifnphl.exe
2720	Mohbjkgp.exe
4860	Mhpgca32.exe
1448	Mcfkpjng.exe
5108	Medglemj.exe
2840	Nomlek32.exe
4848	Ndidna32.exe
2292	Nlqloo32.exe
2772	Namegfql.exe
1396	Nlcidopb.exe
1692	Noaeqjpe.exe
832	Nfknmd32.exe
1600	Nocbfjmc.exe
4888	Ndpjnq32.exe
660	Nhlfoodc.exe
1536	Ncaklhdi.exe
4556	Ohncdobq.exe
2584	Oohkai32.exe
964	Ollljmhg.exe
4800	Ocfdgg32.exe
4192	Ohcmpn32.exe
3184	Oloipmfd.exe
3468	Oomelheh.exe
2208	Odjmdocp.exe
3380	Oooaah32.exe
1596	Ofijnbkb.exe
3280	Okfbgiij.exe
3716	Obpkcc32.exe
3312	Pmeoqlpl.exe
404	Podkmgop.exe
4840	Pdqcenmg.exe
4020	Pmhkflnj.exe
4424	Pofhbgmn.exe
756	Pbddobla.exe
4904	Pmjhlklg.exe
4568	Pcdqhecd.exe
1528	Pbgqdb32.exe
4440	Pmmeak32.exe
4384	Pokanf32.exe
1228	Pbimjb32.exe
3092	Pehjfm32.exe
4900	Pkabbgol.exe
1268	Pbljoafi.exe
1768	Qifbll32.exe
4128	Qkdohg32.exe
1584	Qbngeadf.exe
3120	Qelcamcj.exe
4600	Qkfkng32.exe
3672	Qpbgnecp.exe
3992	Aeopfl32.exe
464	Aijlgkjq.exe
2460	Akihcfid.exe
1776	Afnlpohj.exe
4680	Aealll32.exe
1292	Alkeifga.exe
4528	Afqifo32.exe
868	Amkabind.exe
2580	Almanf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Afqifo32.exe	Alkeifga.exe
File created	C:\Windows\SysWOW64\Cffkhl32.exe	Cpifeb32.exe
File opened for modification	C:\Windows\SysWOW64\Cidgdg32.exe	Cffkhl32.exe
File created	C:\Windows\SysWOW64\Aocdjq32.dll	Mhpgca32.exe
File opened for modification	C:\Windows\SysWOW64\Pbddobla.exe	Pofhbgmn.exe
File opened for modification	C:\Windows\SysWOW64\Obpkcc32.exe	Okfbgiij.exe
File opened for modification	C:\Windows\SysWOW64\Qbngeadf.exe	Qkdohg32.exe
File created	C:\Windows\SysWOW64\Qpbgnecp.exe	Qkfkng32.exe
File opened for modification	C:\Windows\SysWOW64\Bemlhj32.exe	Bboplo32.exe
File opened for modification	C:\Windows\SysWOW64\Cboibm32.exe	Cmbpjfij.exe
File opened for modification	C:\Windows\SysWOW64\Cdnelpod.exe	Cmdmpe32.exe
File created	C:\Windows\SysWOW64\Flekgd32.dll	Nocbfjmc.exe
File created	C:\Windows\SysWOW64\Hfdgep32.dll	Ohcmpn32.exe
File opened for modification	C:\Windows\SysWOW64\Dlqpaafg.exe	Dibdeegc.exe
File created	C:\Windows\SysWOW64\Dkakfgoq.dll	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Defheg32.exe	Ddekmo32.exe
File created	C:\Windows\SysWOW64\Pnnggcqk.dll	Pokanf32.exe
File opened for modification	C:\Windows\SysWOW64\Cemeoh32.exe	Cboibm32.exe
File created	C:\Windows\SysWOW64\Dllffa32.exe	Debnjgcp.exe
File created	C:\Windows\SysWOW64\Mcabej32.exe	Mhknhabf.exe
File created	C:\Windows\SysWOW64\Mlifnphl.exe	Mepnaf32.exe
File opened for modification	C:\Windows\SysWOW64\Bboplo32.exe	Bldgoeog.exe
File created	C:\Windows\SysWOW64\Ddekmo32.exe	Dpjompqc.exe
File opened for modification	C:\Windows\SysWOW64\Ollljmhg.exe	Oohkai32.exe
File opened for modification	C:\Windows\SysWOW64\Odjmdocp.exe	Oomelheh.exe
File created	C:\Windows\SysWOW64\Pmjhlklg.exe	Pbddobla.exe
File created	C:\Windows\SysWOW64\Famnbgil.dll	Almanf32.exe
File opened for modification	C:\Windows\SysWOW64\Apngjd32.exe	Aidomjaf.exe
File created	C:\Windows\SysWOW64\Mhpgca32.exe	Mohbjkgp.exe
File opened for modification	C:\Windows\SysWOW64\Ndpjnq32.exe	Nocbfjmc.exe
File created	C:\Windows\SysWOW64\Dibdeegc.exe	Defheg32.exe
File created	C:\Windows\SysWOW64\Beaecjab.exe	Bliajd32.exe
File opened for modification	C:\Windows\SysWOW64\Cbmlmmjd.exe	Cmpcdfll.exe
File opened for modification	C:\Windows\SysWOW64\Aijlgkjq.exe	Aeopfl32.exe
File opened for modification	C:\Windows\SysWOW64\Akihcfid.exe	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Gdokakcj.dll	Aealll32.exe
File created	C:\Windows\SysWOW64\Eobepglo.dll	Aiabhj32.exe
File opened for modification	C:\Windows\SysWOW64\Bbalaoda.exe	Blgddd32.exe
File created	C:\Windows\SysWOW64\Befogbik.dll	Cbaehl32.exe
File created	C:\Windows\SysWOW64\Bdhfnche.dll	Nfknmd32.exe
File created	C:\Windows\SysWOW64\Kkpdnm32.dll	Pmmeak32.exe
File opened for modification	C:\Windows\SysWOW64\Abjfqpji.exe	Alpnde32.exe
File opened for modification	C:\Windows\SysWOW64\Bblcfo32.exe	Apngjd32.exe
File created	C:\Windows\SysWOW64\Icldmjph.dll	Bejobk32.exe
File created	C:\Windows\SysWOW64\Haaggn32.dll	Beaecjab.exe
File created	C:\Windows\SysWOW64\Cmbpjfij.exe	Cbmlmmjd.exe
File created	C:\Windows\SysWOW64\Jaepkejo.dll	Cdnelpod.exe
File created	C:\Windows\SysWOW64\Daliqjnc.dll	Pbimjb32.exe
File created	C:\Windows\SysWOW64\Aijlgkjq.exe	Aeopfl32.exe
File created	C:\Windows\SysWOW64\Dfakcj32.exe	Dllffa32.exe
File created	C:\Windows\SysWOW64\Hkjfpp32.dll	Cidgdg32.exe
File created	C:\Windows\SysWOW64\Gpngef32.dll	Dbcbnlcl.exe
File opened for modification	C:\Windows\SysWOW64\Dibdeegc.exe	Defheg32.exe
File created	C:\Windows\SysWOW64\Oohkai32.exe	Ohncdobq.exe
File created	C:\Windows\SysWOW64\Odjmdocp.exe	Oomelheh.exe
File created	C:\Windows\SysWOW64\Ofijnbkb.exe	Oooaah32.exe
File created	C:\Windows\SysWOW64\Pmhkflnj.exe	Pdqcenmg.exe
File created	C:\Windows\SysWOW64\Kipiefce.dll	Apngjd32.exe
File created	C:\Windows\SysWOW64\Cqbolk32.dll	Bboplo32.exe
File opened for modification	C:\Windows\SysWOW64\Mhpgca32.exe	Mohbjkgp.exe
File opened for modification	C:\Windows\SysWOW64\Mcfkpjng.exe	Mhpgca32.exe
File created	C:\Windows\SysWOW64\Dbcbnlcl.exe	Ddqbbo32.exe
File opened for modification	C:\Windows\SysWOW64\Qelcamcj.exe	Qbngeadf.exe
File created	C:\Windows\SysWOW64\Amkabind.exe	Afqifo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5624	5396	WerFault.exe	201

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbgqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Almanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aiabhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alpnde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfakcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nomlek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obpkcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apngjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdqcenmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofhbgmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqhecd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medglemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcmpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcabej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mohbjkgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ollljmhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjompqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhhbngi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkdohg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpifeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjmdocp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmeoqlpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndidna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f954d70d6bf36d733dcc709afc4229a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepadh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncaklhdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dllffa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbefln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjhlklg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijlgkjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeffgkkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejobk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlifnphl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfkpjng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhiabbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beaecjab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bblcfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbcbnlcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfknmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbimjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbljoafi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbgnecp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noaeqjpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podkmgop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qelcamcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bemlhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciknefmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhknhabf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpjnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bboplo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beoimjce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bliajd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cboibm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddqbbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afqifo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbpjfij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcidopb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkglgq32.dll"	Mcfkpjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmppdij.dll"	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfmgqph.dll"	Bliajd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Noaeqjpe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnkilod.dll"	Okfbgiij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mepnaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhmeii32.dll"	Ohncdobq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dllffa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnegipj.dll"	Pmjhlklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qifbll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agccao32.dll"	Bbalaoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maoifh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciknefmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mondkfmh.dll"	Cemeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mepnaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medglemj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfknmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Almanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeffgkkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbjabqbh.dll"	Mohbjkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggiipk32.dll"	Cmdmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acicqigg.dll"	Nomlek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobepglo.dll"	Aiabhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noaeqjpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknmjgje.dll"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhknhabf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaflkim.dll"	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmonod32.dll"	Dlqpaafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdogqi32.dll"	Aidomjaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbalaoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcoepkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhlfoodc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhfnche.dll"	Nfknmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkhikf32.dll"	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpacoj32.dll"	Pofhbgmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnggcqk.dll"	Pokanf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alpnde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcabej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlqloo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgedpmpf.dll"	Noaeqjpe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cemeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beaecjab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cidgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjfpp32.dll"	Cidgdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlcidopb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmeoqlpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amkabind.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obpkcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeffgkkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qifbll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnlpohj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 436	3796	f954d70d6bf36d733dcc709afc4229a0N.exe	90
PID 3796 wrote to memory of 436	3796	f954d70d6bf36d733dcc709afc4229a0N.exe	90
PID 3796 wrote to memory of 436	3796	f954d70d6bf36d733dcc709afc4229a0N.exe	90
PID 436 wrote to memory of 2024	436	Maoifh32.exe	91
PID 436 wrote to memory of 2024	436	Maoifh32.exe	91
PID 436 wrote to memory of 2024	436	Maoifh32.exe	91
PID 2024 wrote to memory of 2412	2024	Mhiabbdi.exe	92
PID 2024 wrote to memory of 2412	2024	Mhiabbdi.exe	92
PID 2024 wrote to memory of 2412	2024	Mhiabbdi.exe	92
PID 2412 wrote to memory of 1908	2412	Mcoepkdo.exe	93
PID 2412 wrote to memory of 1908	2412	Mcoepkdo.exe	93
PID 2412 wrote to memory of 1908	2412	Mcoepkdo.exe	93
PID 1908 wrote to memory of 3008	1908	Mhknhabf.exe	94
PID 1908 wrote to memory of 3008	1908	Mhknhabf.exe	94
PID 1908 wrote to memory of 3008	1908	Mhknhabf.exe	94
PID 3008 wrote to memory of 2352	3008	Mcabej32.exe	96
PID 3008 wrote to memory of 2352	3008	Mcabej32.exe	96
PID 3008 wrote to memory of 2352	3008	Mcabej32.exe	96
PID 2352 wrote to memory of 2540	2352	Mepnaf32.exe	97
PID 2352 wrote to memory of 2540	2352	Mepnaf32.exe	97
PID 2352 wrote to memory of 2540	2352	Mepnaf32.exe	97
PID 2540 wrote to memory of 2720	2540	Mlifnphl.exe	98
PID 2540 wrote to memory of 2720	2540	Mlifnphl.exe	98
PID 2540 wrote to memory of 2720	2540	Mlifnphl.exe	98
PID 2720 wrote to memory of 4860	2720	Mohbjkgp.exe	100
PID 2720 wrote to memory of 4860	2720	Mohbjkgp.exe	100
PID 2720 wrote to memory of 4860	2720	Mohbjkgp.exe	100
PID 4860 wrote to memory of 1448	4860	Mhpgca32.exe	101
PID 4860 wrote to memory of 1448	4860	Mhpgca32.exe	101
PID 4860 wrote to memory of 1448	4860	Mhpgca32.exe	101
PID 1448 wrote to memory of 5108	1448	Mcfkpjng.exe	102
PID 1448 wrote to memory of 5108	1448	Mcfkpjng.exe	102
PID 1448 wrote to memory of 5108	1448	Mcfkpjng.exe	102
PID 5108 wrote to memory of 2840	5108	Medglemj.exe	103
PID 5108 wrote to memory of 2840	5108	Medglemj.exe	103
PID 5108 wrote to memory of 2840	5108	Medglemj.exe	103
PID 2840 wrote to memory of 4848	2840	Nomlek32.exe	104
PID 2840 wrote to memory of 4848	2840	Nomlek32.exe	104
PID 2840 wrote to memory of 4848	2840	Nomlek32.exe	104
PID 4848 wrote to memory of 2292	4848	Ndidna32.exe	106
PID 4848 wrote to memory of 2292	4848	Ndidna32.exe	106
PID 4848 wrote to memory of 2292	4848	Ndidna32.exe	106
PID 2292 wrote to memory of 2772	2292	Nlqloo32.exe	107
PID 2292 wrote to memory of 2772	2292	Nlqloo32.exe	107
PID 2292 wrote to memory of 2772	2292	Nlqloo32.exe	107
PID 2772 wrote to memory of 1396	2772	Namegfql.exe	108
PID 2772 wrote to memory of 1396	2772	Namegfql.exe	108
PID 2772 wrote to memory of 1396	2772	Namegfql.exe	108
PID 1396 wrote to memory of 1692	1396	Nlcidopb.exe	109
PID 1396 wrote to memory of 1692	1396	Nlcidopb.exe	109
PID 1396 wrote to memory of 1692	1396	Nlcidopb.exe	109
PID 1692 wrote to memory of 832	1692	Noaeqjpe.exe	110
PID 1692 wrote to memory of 832	1692	Noaeqjpe.exe	110
PID 1692 wrote to memory of 832	1692	Noaeqjpe.exe	110
PID 832 wrote to memory of 1600	832	Nfknmd32.exe	111
PID 832 wrote to memory of 1600	832	Nfknmd32.exe	111
PID 832 wrote to memory of 1600	832	Nfknmd32.exe	111
PID 1600 wrote to memory of 4888	1600	Nocbfjmc.exe	112
PID 1600 wrote to memory of 4888	1600	Nocbfjmc.exe	112
PID 1600 wrote to memory of 4888	1600	Nocbfjmc.exe	112
PID 4888 wrote to memory of 660	4888	Ndpjnq32.exe	113
PID 4888 wrote to memory of 660	4888	Ndpjnq32.exe	113
PID 4888 wrote to memory of 660	4888	Ndpjnq32.exe	113
PID 660 wrote to memory of 1536	660	Nhlfoodc.exe	114

C:\Users\Admin\AppData\Local\Temp\f954d70d6bf36d733dcc709afc4229a0N.exe
"C:\Users\Admin\AppData\Local\Temp\f954d70d6bf36d733dcc709afc4229a0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Windows\SysWOW64\Maoifh32.exe
  C:\Windows\system32\Maoifh32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\Mhiabbdi.exe
    C:\Windows\system32\Mhiabbdi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\Mcoepkdo.exe
      C:\Windows\system32\Mcoepkdo.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\SysWOW64\Mhknhabf.exe
        
        C:\Windows\system32\Mhknhabf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Mepnaf32.exe
        
        C:\Windows\system32\Mepnaf32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Mohbjkgp.exe
        
        C:\Windows\system32\Mohbjkgp.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Mcfkpjng.exe
        
        C:\Windows\system32\Mcfkpjng.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Nomlek32.exe
        
        C:\Windows\system32\Nomlek32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Oloipmfd.exe
        
        C:\Windows\system32\Oloipmfd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Pdqcenmg.exe
        
        C:\Windows\system32\Pdqcenmg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Pmjhlklg.exe
        
        C:\Windows\system32\Pmjhlklg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        49⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Alkeifga.exe
        
        C:\Windows\system32\Alkeifga.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\Afqifo32.exe
        
        C:\Windows\system32\Afqifo32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Amkabind.exe
        
        C:\Windows\system32\Amkabind.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Almanf32.exe
        
        C:\Windows\system32\Almanf32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Aeffgkkp.exe
        
        C:\Windows\system32\Aeffgkkp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Alpnde32.exe
        
        C:\Windows\system32\Alpnde32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Abjfqpji.exe
        
        C:\Windows\system32\Abjfqpji.exe
        69⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Apngjd32.exe
        
        C:\Windows\system32\Apngjd32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\Bblcfo32.exe
        
        C:\Windows\system32\Bblcfo32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Bldgoeog.exe
        
        C:\Windows\system32\Bldgoeog.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Bboplo32.exe
        
        C:\Windows\system32\Bboplo32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Blgddd32.exe
        
        C:\Windows\system32\Blgddd32.exe
        77⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Bbalaoda.exe
        
        C:\Windows\system32\Bbalaoda.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Beoimjce.exe
        
        C:\Windows\system32\Beoimjce.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Blknpdho.exe
        
        C:\Windows\system32\Blknpdho.exe
        82⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Bbefln32.exe
        
        C:\Windows\system32\Bbefln32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Cpifeb32.exe
        
        C:\Windows\system32\Cpifeb32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\Cffkhl32.exe
        
        C:\Windows\system32\Cffkhl32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Cmpcdfll.exe
        
        C:\Windows\system32\Cmpcdfll.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Cbmlmmjd.exe
        
        C:\Windows\system32\Cbmlmmjd.exe
        88⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Cmbpjfij.exe
        
        C:\Windows\system32\Cmbpjfij.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Cboibm32.exe
        
        C:\Windows\system32\Cboibm32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\Cemeoh32.exe
        
        C:\Windows\system32\Cemeoh32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Cmdmpe32.exe
        
        C:\Windows\system32\Cmdmpe32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Cdnelpod.exe
        
        C:\Windows\system32\Cdnelpod.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Cepadh32.exe
        
        C:\Windows\system32\Cepadh32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Dbcbnlcl.exe
        
        C:\Windows\system32\Dbcbnlcl.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        99⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Dllffa32.exe
        
        C:\Windows\system32\Dllffa32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        105⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Dlqpaafg.exe
        
        C:\Windows\system32\Dlqpaafg.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Ddhhbngi.exe
        
        C:\Windows\system32\Ddhhbngi.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        108⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 408
        109⤵
        Program crash
        
        PID:5624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5396 -ip 5396
1⤵
PID:5556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1040,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:8
1⤵
PID:5520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Blknpdho.exe

Filesize
94KB

MD5
2dd82e4ef1518727c253769d5c937785

SHA1
e50393bf2612f713446e92ebd146e9794e8f2246

SHA256
d6b981207373a341d35cb7e4fa658101de652e89ecc9927959f9eabd340b1ea7

SHA512
5064e1927f31e4b5d9a72aa98309e7a2bbe8284362603cd6ceda970fe83ad867d4e84cf0fa19d57db65d21aa70c52261f0964f5d6732dc2b1c6576b561b04714

Download Submit
C:\Windows\SysWOW64\Cemeoh32.exe

Filesize
94KB

MD5
a16d4f2f505b7d4543d29f5264e66d4e

SHA1
3369d01412dc74cde91705a7f3d4611e8cbb14b5

SHA256
837e4c4e2fec9a16ea7c979cbed6b612f301a00c8579354eb469a6d63f673a31

SHA512
febfa2493b84d2443f906edfb7ce6fbe8e902c7ce5425efc8c0a98d635f467acbd203c00e1f7adaa67584bebff7d091b28d1425f2aea6e57b0f607a8d06988e6

Download Submit
C:\Windows\SysWOW64\Debnjgcp.exe

Filesize
94KB

MD5
d50f04a776371c34153b43144574a4fb

SHA1
423d378a5f81e2e4ea9c6722e276f02b918ef897

SHA256
652580daa2cb255ea6f7eebf969a27ca14e0f9dedb38626a6a5120c31f227419

SHA512
121298fe3141c981b3a5afd5eaac33967c74574d3965f9da7bb30b5229c4c16aeb8f4af02428669d5d7ad75cfad3023c199b1f7c7e04286112c7ce3d14a34b95

Download Submit
C:\Windows\SysWOW64\Maoifh32.exe

Filesize
94KB

MD5
c9dc69458f0f48b3f1770d8898c9a654

SHA1
fbc3321b2011546ed56c91fbbc886a594feb1140

SHA256
8045e9db874666dc381d2c7ab6cb4a107c8becfa1ceba5cf97e74de074cf38a3

SHA512
1b5ab2d2331d235780b7aeac949266473997cf76a82b557d1715582d4c2d488e1b5759d9a53a257f707a6bbcbcba8bd5906655aaf430e4571bb7413c36683a0a

Download Submit
C:\Windows\SysWOW64\Mcabej32.exe

Filesize
94KB

MD5
e10fc5869de92de9bbbb8e64366f50b4

SHA1
e2e33b6016f94bcd40f67c3a7a78a965d80d0770

SHA256
1a1d4f26cd676be532fb2a26ca5d9b80e1bb94eb8c03e9c74333fb08db5f2db2

SHA512
65c0c0cf768c0260ef3f103b45c9b3157b9bd6eaa13689e45f829c2e705b1d045981016300ad66f5bbaf9e9ab9cdd911c7ed262868298810bfc904af83bf20e9

Download Submit
C:\Windows\SysWOW64\Mcfkpjng.exe

Filesize
94KB

MD5
fedfe55f88dbe1e7f8d41b15d00ce7ac

SHA1
eb63c9f997e6099198aad9d2dbcfa00ff4d46746

SHA256
c1350c4345d475a8914007f72c6cfec0748d6e9fbb1ff1b2b927c3fb6c159030

SHA512
f4f41bd00a71c467072bf49d04df8a9d6e6fb63ef22f389b00af5e8718e3db236ed3b130a8928c67526a01cb2a09a868acfd07c84c5e7be83f439596efacc20e

Download Submit
C:\Windows\SysWOW64\Mcoepkdo.exe

Filesize
94KB

MD5
05ce6b9045c7b412241d52edb3328716

SHA1
1efaefed6cd1c548083087f5238a4897e3df2e56

SHA256
ad99589643b765749cdf530d9299ec61d09ae30317be8299cfaa593c18a32a68

SHA512
202221f330a486d0154a8c82b4b4a4ab0277f4e3955595d7e213d738e61a98fbca119573045d2087d1a15b028eba799e3972eca7d6c69df53aaff6bc832f4b15

Download Submit
C:\Windows\SysWOW64\Medglemj.exe

Filesize
94KB

MD5
e92e0d78739ce1fc640447d006468485

SHA1
349ba1d9740bf47a73604bf8f3effc4ee5a5a468

SHA256
27153a9acfa05b0843737fd873485730b2d063472500fbc6e506f61edbbcfbe7

SHA512
9bac48a69ca5aaf717f5ca9c214bcb914f7b9a68166320d8f176dff3ad45da42ac785967203bd59238e4a4670536b642cef3636040f163b7fc670f49ab2214b0

Download Submit
C:\Windows\SysWOW64\Mepnaf32.exe

Filesize
94KB

MD5
ed14cf98f2a3e200a4b1c000564e62bc

SHA1
a474638de2779e6acb4c1b44dec57f6bbe00350a

SHA256
fad1d3b2441e6e94b29826748d2275031d6605a4315ce1668595690d8fd17314

SHA512
71ad010df3f5747d29536ac8e3b640d84cc33b74c50ecdc72b8cf65fd004b575fa004cda1611363ff8fedc13ca6539ec10c40edc4e16d79f3ba994bf3fc78725

Download Submit
C:\Windows\SysWOW64\Mhiabbdi.exe

Filesize
94KB

MD5
77fae457b5587ef4d8dec7dfc2944090

SHA1
2caa3a3f0f49a546f64c9d7abf4640a41e4a4fc4

SHA256
55af8dc8ae388958832b13eb64ec8752083bb6264c6132cf5129e64797fecb95

SHA512
b7d43c2d6390d66ed17a2e2e1cbc6c940b59b351ff721a39b4c48b17716156d4a5b3170660b7256862555468a4ef470b576289b34bcd77c387d47bdc1a774339

Download Submit
C:\Windows\SysWOW64\Mhknhabf.exe

Filesize
94KB

MD5
9fa7478b5e29d60565b577deda44969e

SHA1
8703cdd46af51eb6caa694ed42fefb1591ad623d

SHA256
7351f5b1962ee04624669503764509afe4ee1f3cab2049d3817edba8c3b8f378

SHA512
748cd244a4b966be552d148d45b45188dd5ed0f381cce2bc47fc2b247f7cb8ae496f7fb46000912305cce5acf5f4c82e86d7a671ae7b3f1e0c9d0f53251c472b

Download Submit
C:\Windows\SysWOW64\Mhpgca32.exe

Filesize
94KB

MD5
7a14d3029b32157d8eb5e9c646695dd3

SHA1
ba874e68500399a3692529d94cc70acd350ccc97

SHA256
83cb4bb45b0ed4ae970021f9012636cc135f742b8d51b9a5001fede5de19f3b4

SHA512
5eb2331d9e2fbda1542860af8e6460c3717f85200f5451297936885ac9be136eda668ae37019e0cda206b5c563aa4667da8806b389846ff438cb4e3d9e5c1727

Download Submit
C:\Windows\SysWOW64\Mlifnphl.exe

Filesize
94KB

MD5
85e13a1afddc25af76a2e334949b8c66

SHA1
380475fad27709343f35683b6f7bf86e5ed03ebc

SHA256
8067187b945fb8129f6aeaeba85de8b17fc1852629bc1b70ccf2ac6cf3e2b830

SHA512
27894ad0a5356eede9b61e4fd7f012c3ff315c0bf8808f90be1e7dbdfee2f6966648a3f2b4c9c1cfec0953844572636768ccc5c23463aa409b85713012006daa

Download Submit
C:\Windows\SysWOW64\Mohbjkgp.exe

Filesize
94KB

MD5
3ee0004115f6229c8966f99aeeff1d0f

SHA1
a1908fce1b0d1f42bf4684a8f82c45f7757472e8

SHA256
117edc362e60aea0519f479b1c25186721b7a6f1fda7f73f9ba4f0d0547a366a

SHA512
43b7df63f30fd0fe0166b114eb8d3a2c68b24cfe1505baf8abd7f0a9a51e9a12b2fbb35be2a2c0079a1d5c9b5ce58c2383e2d342513542c693067f6f734adb48

Download Submit
C:\Windows\SysWOW64\Namegfql.exe

Filesize
94KB

MD5
ed2ed7d0e92014188ca30094b8c2c62d

SHA1
e1bba47828fbbd07b44a454dafbb4c184e9556e7

SHA256
3534625e9458d36244e1410db3d47652514541bc096619d58ed447126e3ae28f

SHA512
883768b6b2f230aff44d50365f36cf7cf40df33fbc4dc63ea8328af0a939b67b46b9366afc8572208be19e091a4c322827eecd98f90e78481a579d4ae9a65f57

Download Submit
C:\Windows\SysWOW64\Ncaklhdi.exe

Filesize
94KB

MD5
6febf9de73c6f554f6b4fceed265daac

SHA1
996ccfc81566c531b47f5c2e912f8af37a1412f1

SHA256
cd347005d6cbdef8e2d2b53557436466c628d061e919918f6e3af3daed56ad96

SHA512
97db1ab3e6e2c3296c92870cf14d59b13deca6340db359f74d17ece82ad53995490f523faeb772e0d4c5f049f6b989a1119e490481f7db8f01f8d042cf1500bc

Download Submit
C:\Windows\SysWOW64\Ndidna32.exe

Filesize
94KB

MD5
6e672d66385990a80623d8b11101e7ec

SHA1
3447c90e25f730459535e2afbedfe6c5c923bdae

SHA256
20ca950dc5b88531106bc77103c9bfc5bb015a108d2335d6dfc2f2b4a6d07fb1

SHA512
957d2bcf2adb39e5091d72f49c92c9e4fe1375b2dbc31860bebb7c3bdd008ddbe84af7b05d12b60c384003dda68e85eaed8974453748adc1e42e7d96415e9b0d

Download Submit
C:\Windows\SysWOW64\Ndpjnq32.exe

Filesize
94KB

MD5
e9ea14f736008e482612d18fa5bc310c

SHA1
d5956106ef4e9246b415fed9276cbdf8fabccd54

SHA256
e1f1f8e0f5bca57daf1a2e358bbbbf1c7b0e751062f2ee2ed73764be1a5f485a

SHA512
5619493b25afd6e72bac20ff64a7bf451ed808a2b228f01ea2d1d33d2b302a835c3d51a407756c11a358a0dc2df3ec66c8678adb32feac76b156da050af8387b

Download Submit
C:\Windows\SysWOW64\Nfknmd32.exe

Filesize
94KB

MD5
2f5423d0a8416dea783a1f00bfc78c5c

SHA1
a2aa6d1e7ff6fb89cf99e06d22eca36bf5cea4a1

SHA256
43185b482838f33c7c9ed6f4e2208409f53b80ab06a3fb956d90727075bd9698

SHA512
ad7a20e107e70fd80cfef819ee43504dd790ab25279a452af0e85995d3fd763a1ad894fc88a2706d9f9967d0bd832166af6f473fd4010d003879d14b8dd90aaa

Download Submit
C:\Windows\SysWOW64\Nhlfoodc.exe

Filesize
94KB

MD5
e183fdd9e965ecba01c3091d5e555734

SHA1
c1a26b5f3278704c0eec0462e80582dac77b228c

SHA256
2347d5571cdcc3f81c6ed0854d1db9734a451d1070b5418181c8f2c7c04dbb2a

SHA512
be1d53127eed7656f4701bdd83c5a7900aa43bc24ec58ce2e88bd2f8aa3f74584f8269baa82b8aa56558dde9faff944757cba3e6f7fbe05f57b07de522a33e46

Download Submit
C:\Windows\SysWOW64\Nlcidopb.exe

Filesize
94KB

MD5
bf4b8195687dfb5e8f1b1a6b99ff9982

SHA1
124ffc642c0382f368885be6a9177d695e83f8bd

SHA256
65f728f7ac3c57536161deaa2d9d679d57f5428be8213e6ffb00b79efd1da241

SHA512
77201b500eb4b7c3d43798d9e37a13779a25b0727b995e18a1bfd493d508f6a21dcdbb8d9e1275f27c8023dacb6728595981581fc13c2f14927c51cff4cadbdd

Download Submit
C:\Windows\SysWOW64\Nlqloo32.exe

Filesize
94KB

MD5
d91f5d5581ba277c9df356faf30bc0e6

SHA1
8e2ee268bfb1c8a095b7c23cfcb7bf361a93ef56

SHA256
6404fb4c1a24c8beaffd23fd817c7e868aa236a9e9c7a75495b982683f003442

SHA512
d99870cf9f646f86e3b7730ac2cc03996984aedb656069bad0b73e52e3fcd321b590e0b8f470946e8ad33cf3ae6f505c26eaf8f0011caf1eaed6d4646048d87e

Download Submit
C:\Windows\SysWOW64\Noaeqjpe.exe

Filesize
94KB

MD5
9bdae6b92fbf0c9b405b5679c2e0f636

SHA1
fe1cba15bfd46ccf78a5b5ffaacfb429fd4f6332

SHA256
17abf9e25b3f483550ee551afb9a24fdf56875b7ea6e89bd007c5a720ad719ad

SHA512
1aad305d9ffad7be5767a9a8494529c1244d6ef39a5ded9463d0d2a7481e622591baa09e86a8d257c871158dc627618a6d89e0ec8203f321b2d014423a30008a

Download Submit
C:\Windows\SysWOW64\Nocbfjmc.exe

Filesize
94KB

MD5
d6e684c302941e4d4ced6b79a29ca104

SHA1
a7bce297cfd994d3c73abc47e4399cb36cf81b8c

SHA256
0d0d4a7a0675915458012d5c31fbf3d50f88793b44e3575723fb5032f7839bc7

SHA512
a6117a3998f0281195f014627ef52b21e2835a12961dff8eb88374461e2d226ac08aa5f6fdaccb163c2a49ac58248c2231e23cd02b1970d3a94a0c63ef87c3ff

Download Submit
C:\Windows\SysWOW64\Nomlek32.exe

Filesize
94KB

MD5
3a8662939817f24b0c05462858c28fb9

SHA1
b41d7e74bee5da9c3b6976cd0b898e6c90e1cbc6

SHA256
14aef8de1a0d1c37a3b7345bde93c6e55d64cbd56b025f7c22953c75504b3bbc

SHA512
3c817b1e16a693098ceb030ab4692eba4f6041be4de9fbb8dc8b43d6d9f8e3a35249b9ffac61a50608cb6f834eb37a345ac2e4176b73ea52ad9091b35c7b7cd7

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
94KB

MD5
667e79ec75bb66d890a36964ff068979

SHA1
5732eaa2bdb9b08434949a5e20c41c015053ed08

SHA256
d8088e124f2dfc59f2c8b4379eb120b425e9cf8a20ba634c2e8cc9518c23cc64

SHA512
a4b810a7eb585157267509ee4b52599c3d06fd624722253e77e39e4c6a38cb0fb7ea1168324756c0186e72a716ffa290b86c44ab7b18fa0793bda00aed45cd07

Download Submit
C:\Windows\SysWOW64\Odjmdocp.exe

Filesize
94KB

MD5
300027df3db1d0f3a655df91893a1f47

SHA1
68daddf9886f46c9ed7c92d91dc640b54c31f134

SHA256
8336ec536b68b5b212f08237b1686ebc1481b4235d771683bc5686707f4d5634

SHA512
f5acb3609a51c41c3f39cc734fbd64eb72a3ada99997f6fba2b565343fdfc2e70027ae95a806864563f20e65d3f2f6a7d669715dbc927880ea9e5ffbba9f14db

Download Submit
C:\Windows\SysWOW64\Ofijnbkb.exe

Filesize
94KB

MD5
089f9b5a450b94234ef462f2e76272ae

SHA1
4229dba743617af92569c06a33173925d83c84e2

SHA256
6742fd05fea766db0c3207502bc7e5c3407c54de8e4daba10e831d35ae4dbdc4

SHA512
b9dbd24ba80cf446e5038a65f9ba9df70d5b37c1399c79d76ebd9f11476c5608ee16745ead63b82ebe55fa6c8419520c3e4daeeac9b5e98e3c8c2d09499d2d9d

Download Submit
C:\Windows\SysWOW64\Ohcmpn32.exe

Filesize
94KB

MD5
313ea0cbb45ee487eb0714a41c404b88

SHA1
3f37106fafc639293c531e86782c412de063fd37

SHA256
5afedf405c50b269b775567e3151b1c245ce3e430482d75064be4564aa0e0c0b

SHA512
2487defa68a6dfec45a66cf8bdae04158c9c888d0315c50f33403b4c0b41a1988f3a3ad45f2dd6f7dd12983f0c17d9512f26aa0704729773819b1ed8c1f7926b

Download Submit
C:\Windows\SysWOW64\Ohncdobq.exe

Filesize
94KB

MD5
38e1498fa32f5d16a68d4027f355b867

SHA1
446a3dd446a0613a9174fabaa8026a8fa776a7de

SHA256
c6c50e1413a607c383d8e45b6de7125dc0cd32de53ed13bc650b9a9a9fe1d22e

SHA512
f66d57fcebbe367520b42d5d412b933a7c7f794a1eb7d124ff9baf681df3ddb12393ecbfcea20e0a39e9dcc4633b3f9dd4ce91addc8c602ee3d5a8e3d1d9bd49

Download Submit
C:\Windows\SysWOW64\Ollljmhg.exe

Filesize
94KB

MD5
a5bd5080fa007897c760d9ac3e20117b

SHA1
0156a7b3e869a12eaf7dc279814e1fb779d9dc22

SHA256
9b392dbdf1fabb72e29d8d3fea69e15c43332384947454b9c7ad181c5de8d284

SHA512
ea66349faebe064f5d8a6dacadb482ea88449c370fd935bf9c2f2f66130acd3c23413e0b654dc558a80845f7c68c73823be2106bc1c68ca54b813c3312b6cfa7

Download Submit
C:\Windows\SysWOW64\Oloipmfd.exe

Filesize
94KB

MD5
fc7e502857c4f253fe1caab4dbd84d79

SHA1
54bdab51d1c5e9e83f1c8e08231691b1f8a9599c

SHA256
446184d177d05717e1947cf1ba722fdf7299a93e38d68e2bc4398ee4d01f7b25

SHA512
fa9cfb05e1282956850d49ad91fa74dd3c511022dc1ccec00213fd2828e767b206c98d457d6398f3d593e835784586bb3028bc8487c88972cdff8cd7500bda78

Download Submit
C:\Windows\SysWOW64\Oohkai32.exe

Filesize
94KB

MD5
c1691201b87605ec515351f7f7ddfbc4

SHA1
a914ac916d284ff0a8265dbbf4ec794660746b32

SHA256
33cbe4d56f6eed021720f66287bb4bc1aceae2318ef0bfd36297fac8817338ed

SHA512
f5341d9bfdb7aa6a864fdcca927898bfbaccf3d8d3a7876c0456eaa222497b13643edbd8008113512c00ebbe5c41136037e7cd85d02924ace457084107685520

Download Submit
C:\Windows\SysWOW64\Oomelheh.exe

Filesize
94KB

MD5
86cd36e3d31325bb4c062bff42d00759

SHA1
71cc4b6f4bdb41f98ac2c7c4b0fec14c3afe4a44

SHA256
5b1b20e3e1f8197c92275381990d3c5ef94256eaec75adae746a0f9bf355c188

SHA512
9b93e4eaeaf454a8bb4494d7da86fe9151a20c29592cdeb1b668be168febdfc500137106a011c8a87f5612b880ad76798a26dff1a564e401dfa6f09cc65e4538

Download Submit
C:\Windows\SysWOW64\Oooaah32.exe

Filesize
94KB

MD5
5b4d32989e512b7d168fcc6789e574e3

SHA1
0088d824d036c2f1ae4ca67fe6752d4c0995909c

SHA256
3679a4c1d6cd994bbff14c303efae662620fd8de2c2f2e0e48d58e4db4421ce5

SHA512
49388c16289c34f36e48a34853c36a451a1ca32fe558d6d005a49c31b48954c33496860bd2c54232beb2cbebc4abb2c7f31a79ed23f5dace579c277f14210eed

Download Submit
memory/404-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/436-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/436-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/464-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/660-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/756-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/832-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/868-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/964-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1228-344-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1268-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1292-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1396-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1444-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1528-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1584-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1596-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1600-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1692-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1768-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1776-423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1908-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1908-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2024-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2024-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2208-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2292-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2412-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2412-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2460-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2580-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2720-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2772-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2840-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3008-585-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3008-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3092-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3120-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3184-229-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3280-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3380-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3468-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3672-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3716-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3796-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3796-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3796-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3992-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4020-297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4128-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4192-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4384-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4420-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4424-303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4440-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4528-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4568-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4600-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4680-429-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4800-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4840-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4848-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4860-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4888-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4900-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4904-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5132-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5172-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5212-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5252-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5292-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5332-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5372-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5412-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5452-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5492-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5532-533-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5572-540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5616-546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5660-553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5704-560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5748-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5796-574-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5840-586-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5872-588-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads