f37f38ca8ce0fb56be84443c2e4edafc9955841180e77cdbb00e5d9834d24ab4

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f37f38ca8ce0fb56be84443c2e4edafc9955841180e77cdbb00e5d9834d24ab4.exe
Size

176KB
MD5

b12be40eddaccc5a37c27d8ace1007fd
SHA1

2cefbf99e0846f4c8ceb5c055df5bb74d122365f
SHA256

f37f38ca8ce0fb56be84443c2e4edafc9955841180e77cdbb00e5d9834d24ab4
SHA512

4adb6d3148d842770ca932e4c28ae52c70c6cbc5f30efc1fd40476e67e9299fbdc509dd13bad70a4a21487d0c8b5d30a58337bc49006fffe598c531b10a4c2b0
SSDEEP

3072:G+3NfmQ5r3UjmOiBn3w8BdTj2h33ppaS46HUF2pMXSfN6RnQShGu:GAZrkjVu3w8BdTj2V3ppQ60MMCf0RnQO

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkapelka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nakhaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmanljfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhbciqln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncjdki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obkahddl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkholi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Madbagif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohbjkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjdki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhknhabf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkocol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mafofggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfknmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mklfjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkapelka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfknmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhiabbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmoncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okailj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okfbgiij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odjmdocp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aealll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mafofggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medglemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkeipk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofbdncaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfiagd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmanljfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apddce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f37f38ca8ce0fb56be84443c2e4edafc9955841180e77cdbb00e5d9834d24ab4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mohbjkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfdgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmoncl.exe

Executes dropped EXE 43 IoCs

pid	Process
4320	Mhiabbdi.exe
408	Mkgmoncl.exe
2328	Mhknhabf.exe
4812	Madbagif.exe
2808	Mklfjm32.exe
5116	Mohbjkgp.exe
4964	Mafofggd.exe
964	Mkocol32.exe
4712	Medglemj.exe
3212	Nhbciqln.exe
1080	Nkapelka.exe
4744	Nakhaf32.exe
2612	Ncjdki32.exe
4968	Nfiagd32.exe
3172	Nkeipk32.exe
4804	Nfknmd32.exe
1228	Nfnjbdep.exe
3304	Ncaklhdi.exe
4284	Oljoen32.exe
2248	Okmpqjad.exe
636	Ofbdncaj.exe
3616	Ookhfigk.exe
1516	Ocfdgg32.exe
4748	Okailj32.exe
960	Obkahddl.exe
3752	Odjmdocp.exe
4536	Oooaah32.exe
2956	Obnnnc32.exe
1988	Okfbgiij.exe
4568	Pkholi32.exe
2836	Pilpfm32.exe
4800	Pcbdcf32.exe
3588	Pbgqdb32.exe
2320	Pmmeak32.exe
3372	Pehjfm32.exe
2224	Pkabbgol.exe
3696	Qmanljfo.exe
2116	Qelcamcj.exe
2552	Qkfkng32.exe
3876	Aeopfl32.exe
1372	Apddce32.exe
4688	Aealll32.exe
5056	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ofbdncaj.exe	Okmpqjad.exe
File opened for modification	C:\Windows\SysWOW64\Pbgqdb32.exe	Pcbdcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pkabbgol.exe	Pehjfm32.exe
File opened for modification	C:\Windows\SysWOW64\Madbagif.exe	Mhknhabf.exe
File created	C:\Windows\SysWOW64\Mkocol32.exe	Mafofggd.exe
File opened for modification	C:\Windows\SysWOW64\Nhbciqln.exe	Medglemj.exe
File opened for modification	C:\Windows\SysWOW64\Nkeipk32.exe	Nfiagd32.exe
File created	C:\Windows\SysWOW64\Pbgnqacq.dll	Oooaah32.exe
File opened for modification	C:\Windows\SysWOW64\Mklfjm32.exe	Madbagif.exe
File opened for modification	C:\Windows\SysWOW64\Mohbjkgp.exe	Mklfjm32.exe
File opened for modification	C:\Windows\SysWOW64\Obnnnc32.exe	Oooaah32.exe
File created	C:\Windows\SysWOW64\Pkabbgol.exe	Pehjfm32.exe
File created	C:\Windows\SysWOW64\Mklfjm32.exe	Madbagif.exe
File opened for modification	C:\Windows\SysWOW64\Okfbgiij.exe	Obnnnc32.exe
File created	C:\Windows\SysWOW64\Pilpfm32.exe	Pkholi32.exe
File created	C:\Windows\SysWOW64\Ifoglp32.dll	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Daliqjnc.dll	Pmmeak32.exe
File opened for modification	C:\Windows\SysWOW64\Ocfdgg32.exe	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Amhdmi32.exe	Aealll32.exe
File created	C:\Windows\SysWOW64\Ncjdki32.exe	Nakhaf32.exe
File created	C:\Windows\SysWOW64\Abohmm32.dll	Nfknmd32.exe
File created	C:\Windows\SysWOW64\Cieonn32.dll	Pilpfm32.exe
File opened for modification	C:\Windows\SysWOW64\Qelcamcj.exe	Qmanljfo.exe
File opened for modification	C:\Windows\SysWOW64\Okailj32.exe	Ocfdgg32.exe
File created	C:\Windows\SysWOW64\Qmanljfo.exe	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Mafofggd.exe	Mohbjkgp.exe
File created	C:\Windows\SysWOW64\Nhbciqln.exe	Medglemj.exe
File created	C:\Windows\SysWOW64\Ggociklh.dll	Apddce32.exe
File opened for modification	C:\Windows\SysWOW64\Mkocol32.exe	Mafofggd.exe
File created	C:\Windows\SysWOW64\Nkapelka.exe	Nhbciqln.exe
File created	C:\Windows\SysWOW64\Jgedpmpf.dll	Nkeipk32.exe
File opened for modification	C:\Windows\SysWOW64\Oljoen32.exe	Ncaklhdi.exe
File opened for modification	C:\Windows\SysWOW64\Pcbdcf32.exe	Pilpfm32.exe
File created	C:\Windows\SysWOW64\Jbkeki32.dll	Madbagif.exe
File created	C:\Windows\SysWOW64\Mhknhabf.exe	Mkgmoncl.exe
File opened for modification	C:\Windows\SysWOW64\Nakhaf32.exe	Nkapelka.exe
File created	C:\Windows\SysWOW64\Ipiddlhk.dll	Nkapelka.exe
File created	C:\Windows\SysWOW64\Oljoen32.exe	Ncaklhdi.exe
File opened for modification	C:\Windows\SysWOW64\Oooaah32.exe	Odjmdocp.exe
File opened for modification	C:\Windows\SysWOW64\Mhknhabf.exe	Mkgmoncl.exe
File created	C:\Windows\SysWOW64\Nfiagd32.exe	Ncjdki32.exe
File created	C:\Windows\SysWOW64\Bakpfm32.dll	Obkahddl.exe
File created	C:\Windows\SysWOW64\Obnnnc32.exe	Oooaah32.exe
File created	C:\Windows\SysWOW64\Cdkdne32.dll	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Joboincl.dll	Oljoen32.exe
File opened for modification	C:\Windows\SysWOW64\Pehjfm32.exe	Pmmeak32.exe
File opened for modification	C:\Windows\SysWOW64\Aeopfl32.exe	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Lgilmo32.dll	Aeopfl32.exe
File created	C:\Windows\SysWOW64\Fkekkccb.dll	Mklfjm32.exe
File opened for modification	C:\Windows\SysWOW64\Ncaklhdi.exe	Nfnjbdep.exe
File opened for modification	C:\Windows\SysWOW64\Odjmdocp.exe	Obkahddl.exe
File created	C:\Windows\SysWOW64\Ohpcjnil.dll	Odjmdocp.exe
File opened for modification	C:\Windows\SysWOW64\Qkfkng32.exe	Qelcamcj.exe
File opened for modification	C:\Windows\SysWOW64\Apddce32.exe	Aeopfl32.exe
File created	C:\Windows\SysWOW64\Honmnc32.dll	Okfbgiij.exe
File created	C:\Windows\SysWOW64\Pbgqdb32.exe	Pcbdcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeak32.exe	Pbgqdb32.exe
File created	C:\Windows\SysWOW64\Nonhbi32.dll	Pehjfm32.exe
File opened for modification	C:\Windows\SysWOW64\Qmanljfo.exe	Pkabbgol.exe
File created	C:\Windows\SysWOW64\Cbgabh32.dll	Mafofggd.exe
File created	C:\Windows\SysWOW64\Inkqjp32.dll	Okailj32.exe
File created	C:\Windows\SysWOW64\Mkgmoncl.exe	Mhiabbdi.exe
File created	C:\Windows\SysWOW64\Madbagif.exe	Mhknhabf.exe
File created	C:\Windows\SysWOW64\Mafofggd.exe	Mohbjkgp.exe

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfknmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oljoen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mklfjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mafofggd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfiagd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oooaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnnnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pilpfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkgmoncl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madbagif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obkahddl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qelcamcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okmpqjad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfbgiij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkholi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfnjbdep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofbdncaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f37f38ca8ce0fb56be84443c2e4edafc9955841180e77cdbb00e5d9834d24ab4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkocol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkeipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aealll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhiabbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mohbjkgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okailj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjdki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookhfigk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhknhabf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhbciqln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nakhaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbgqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehjfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medglemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkapelka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncaklhdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjmdocp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkabbgol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f37f38ca8ce0fb56be84443c2e4edafc9955841180e77cdbb00e5d9834d24ab4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkekkccb.dll"	Mklfjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Medglemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfknmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joboincl.dll"	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbfndd32.dll"	Ocfdgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdkdne32.dll"	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeopfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkglgq32.dll"	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aealll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mafofggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bakpfm32.dll"	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odjmdocp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll"	Aealll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkeipk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfnjbdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgnqacq.dll"	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apddce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qelcamcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lggfcd32.dll"	Mkgmoncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkeipk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daliqjnc.dll"	Pmmeak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoglp32.dll"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medglemj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfknmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpcjnil.dll"	Odjmdocp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhknhabf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmeak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qelcamcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nakhaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncjdki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokjbgbf.dll"	Ncjdki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcboj32.dll"	Pbgqdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkapelka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpijjbj.dll"	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngihj32.dll"	Mhknhabf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofbdncaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloojfj.dll"	Pkholi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ookhfigk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obnnnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkholi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cieonn32.dll"	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f37f38ca8ce0fb56be84443c2e4edafc9955841180e77cdbb00e5d9834d24ab4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mklfjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgabh32.dll"	Mafofggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgedpmpf.dll"	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjbpbd32.dll"	Ofbdncaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpqifh32.dll"	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkabbgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkfkng32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 4320	3004	f37f38ca8ce0fb56be84443c2e4edafc9955841180e77cdbb00e5d9834d24ab4.exe	89
PID 3004 wrote to memory of 4320	3004	f37f38ca8ce0fb56be84443c2e4edafc9955841180e77cdbb00e5d9834d24ab4.exe	89
PID 3004 wrote to memory of 4320	3004	f37f38ca8ce0fb56be84443c2e4edafc9955841180e77cdbb00e5d9834d24ab4.exe	89
PID 4320 wrote to memory of 408	4320	Mhiabbdi.exe	90
PID 4320 wrote to memory of 408	4320	Mhiabbdi.exe	90
PID 4320 wrote to memory of 408	4320	Mhiabbdi.exe	90
PID 408 wrote to memory of 2328	408	Mkgmoncl.exe	91
PID 408 wrote to memory of 2328	408	Mkgmoncl.exe	91
PID 408 wrote to memory of 2328	408	Mkgmoncl.exe	91
PID 2328 wrote to memory of 4812	2328	Mhknhabf.exe	92
PID 2328 wrote to memory of 4812	2328	Mhknhabf.exe	92
PID 2328 wrote to memory of 4812	2328	Mhknhabf.exe	92
PID 4812 wrote to memory of 2808	4812	Madbagif.exe	93
PID 4812 wrote to memory of 2808	4812	Madbagif.exe	93
PID 4812 wrote to memory of 2808	4812	Madbagif.exe	93
PID 2808 wrote to memory of 5116	2808	Mklfjm32.exe	94
PID 2808 wrote to memory of 5116	2808	Mklfjm32.exe	94
PID 2808 wrote to memory of 5116	2808	Mklfjm32.exe	94
PID 5116 wrote to memory of 4964	5116	Mohbjkgp.exe	95
PID 5116 wrote to memory of 4964	5116	Mohbjkgp.exe	95
PID 5116 wrote to memory of 4964	5116	Mohbjkgp.exe	95
PID 4964 wrote to memory of 964	4964	Mafofggd.exe	96
PID 4964 wrote to memory of 964	4964	Mafofggd.exe	96
PID 4964 wrote to memory of 964	4964	Mafofggd.exe	96
PID 964 wrote to memory of 4712	964	Mkocol32.exe	97
PID 964 wrote to memory of 4712	964	Mkocol32.exe	97
PID 964 wrote to memory of 4712	964	Mkocol32.exe	97
PID 4712 wrote to memory of 3212	4712	Medglemj.exe	98
PID 4712 wrote to memory of 3212	4712	Medglemj.exe	98
PID 4712 wrote to memory of 3212	4712	Medglemj.exe	98
PID 3212 wrote to memory of 1080	3212	Nhbciqln.exe	99
PID 3212 wrote to memory of 1080	3212	Nhbciqln.exe	99
PID 3212 wrote to memory of 1080	3212	Nhbciqln.exe	99
PID 1080 wrote to memory of 4744	1080	Nkapelka.exe	100
PID 1080 wrote to memory of 4744	1080	Nkapelka.exe	100
PID 1080 wrote to memory of 4744	1080	Nkapelka.exe	100
PID 4744 wrote to memory of 2612	4744	Nakhaf32.exe	101
PID 4744 wrote to memory of 2612	4744	Nakhaf32.exe	101
PID 4744 wrote to memory of 2612	4744	Nakhaf32.exe	101
PID 2612 wrote to memory of 4968	2612	Ncjdki32.exe	102
PID 2612 wrote to memory of 4968	2612	Ncjdki32.exe	102
PID 2612 wrote to memory of 4968	2612	Ncjdki32.exe	102
PID 4968 wrote to memory of 3172	4968	Nfiagd32.exe	103
PID 4968 wrote to memory of 3172	4968	Nfiagd32.exe	103
PID 4968 wrote to memory of 3172	4968	Nfiagd32.exe	103
PID 3172 wrote to memory of 4804	3172	Nkeipk32.exe	104
PID 3172 wrote to memory of 4804	3172	Nkeipk32.exe	104
PID 3172 wrote to memory of 4804	3172	Nkeipk32.exe	104
PID 4804 wrote to memory of 1228	4804	Nfknmd32.exe	105
PID 4804 wrote to memory of 1228	4804	Nfknmd32.exe	105
PID 4804 wrote to memory of 1228	4804	Nfknmd32.exe	105
PID 1228 wrote to memory of 3304	1228	Nfnjbdep.exe	106
PID 1228 wrote to memory of 3304	1228	Nfnjbdep.exe	106
PID 1228 wrote to memory of 3304	1228	Nfnjbdep.exe	106
PID 3304 wrote to memory of 4284	3304	Ncaklhdi.exe	107
PID 3304 wrote to memory of 4284	3304	Ncaklhdi.exe	107
PID 3304 wrote to memory of 4284	3304	Ncaklhdi.exe	107
PID 4284 wrote to memory of 2248	4284	Oljoen32.exe	108
PID 4284 wrote to memory of 2248	4284	Oljoen32.exe	108
PID 4284 wrote to memory of 2248	4284	Oljoen32.exe	108
PID 2248 wrote to memory of 636	2248	Okmpqjad.exe	109
PID 2248 wrote to memory of 636	2248	Okmpqjad.exe	109
PID 2248 wrote to memory of 636	2248	Okmpqjad.exe	109
PID 636 wrote to memory of 3616	636	Ofbdncaj.exe	110

C:\Users\Admin\AppData\Local\Temp\f37f38ca8ce0fb56be84443c2e4edafc9955841180e77cdbb00e5d9834d24ab4.exe
"C:\Users\Admin\AppData\Local\Temp\f37f38ca8ce0fb56be84443c2e4edafc9955841180e77cdbb00e5d9834d24ab4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\Mhiabbdi.exe
  C:\Windows\system32\Mhiabbdi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\SysWOW64\Mkgmoncl.exe
    C:\Windows\system32\Mkgmoncl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\SysWOW64\Mhknhabf.exe
      C:\Windows\system32\Mhknhabf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4812
      - C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Mohbjkgp.exe
        
        C:\Windows\system32\Mohbjkgp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Pmmeak32.exe
        
        C:\Windows\system32\Pmmeak32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Qelcamcj.exe
        
        C:\Windows\system32\Qelcamcj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4128,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
1⤵
PID:32

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeopfl32.exe

Filesize
176KB

MD5
4067f7e1e38d6e72561db3aa26e10c55

SHA1
c41cc1d04ed69275fb364693c2cdccb4b9b3d3b5

SHA256
dc9ec611499a1551e47be8503fed5c4decb0e27d9b24ebac068e3694745838ed

SHA512
35ca5d4e928e14a156e0b01dbe0d79cec75a00c2f40c52f7b8a8627f2fc4e0371f2defaa3cc2dd1a723760fdb688b7e6af75307603b5db84cb938760448dba7a

Download Submit
C:\Windows\SysWOW64\Amhdmi32.exe

Filesize
176KB

MD5
2d76240a09c2ecf27e88e571d2c774fa

SHA1
33afd076422f99752e7d11b7484de8bc06e0c1c3

SHA256
98d6a2a5b30d8a95508cc62514dc6a5f2728115547c290c9643014bd11cd2a66

SHA512
d34fd2c7eda521c255959ee7a91fdbda3afe1df40d75e2af1d415d58dbea7a2d9ebbf608e71023e290b6e3b10643f0c7a2def10b3ad93562b2594ec7a9922842

Download Submit
C:\Windows\SysWOW64\Madbagif.exe

Filesize
176KB

MD5
88c9461e9048ae84d05d34d623e5eff7

SHA1
67bb26d9a7e74e17ba7479840e3f960a2d797884

SHA256
51c4b0a1cee5473be462eac24038d3d1ddce3390163209b1e57aaac3d77fbe16

SHA512
4355239f7c7e589137aacac5e711e535665fd9af746a47fe9be6e5b0da5004a7251b7a9d14c90fc84cbbcad8403491d9ffb7742c81a561ebc99534a48cde4926

Download Submit
C:\Windows\SysWOW64\Mafofggd.exe

Filesize
176KB

MD5
6e1ec306f30a6f8ec8afe8185b8c1bf9

SHA1
7543a0485f328cd83da764a7c9571da00a96c876

SHA256
79f6e724318be0a073ac839ff11649b9480cf00d39ed89f9fd855b4b2f8a6024

SHA512
38a18fb8caa15f428fb19f614e4a9b2763f3df0e0458828fb4166df62a4b102a1511e9a672be41dc0e8e7adcb3595165facc61e82c707898f8bf372814d7f7d3

Download Submit
C:\Windows\SysWOW64\Medglemj.exe

Filesize
176KB

MD5
a0b3bd9758ce7cf226d12305cb725167

SHA1
67953098a76e8c3ab3df1ac567ced8617dd8fb5d

SHA256
2d4ff3389cba18da06671e299a92c4afdf1b2c638c1da6228a20e321dad0482a

SHA512
35c5a7f80cbab404976cac46be3dad8ae251cf73fde518d3d71abf4e80ebacc5641449963772730671003fea00adbf7530a3e06c8629d4944fa535b964c14029

Download Submit
C:\Windows\SysWOW64\Mhiabbdi.exe

Filesize
176KB

MD5
1b8b761bc74b9420c5568075d44d8015

SHA1
cffd72c1f486379ccd12f1fa61648f333b78af21

SHA256
57fbbe2e99573018201c8eedc8d134b1393d8085dbcc2e86cca57c2e69b4c286

SHA512
742fad889aed9fef00161c1974dee925473187c7160a02357815a2e6a10ad9f3a19b07253513fb31e7d3c8e204153de82cff919604a436fcce45c013d14c511d

Download Submit
C:\Windows\SysWOW64\Mhknhabf.exe

Filesize
176KB

MD5
7c5ab5e8052fb65bea54df71baaa6758

SHA1
12e68c0b832453f7fb709ceba45d5b9dad6584f4

SHA256
0a417ce53dd7659bf50eb5b842b1881f898f6839bf798ba20a5a0b39359f2318

SHA512
c3ea218221c52efc1a12b4eea1a693ef1cf351bf133403c9739448e9a34ccf6d55b4dd01bd164bb526cee917b5ddac794fa646a952c6996454df1f5a97d330fe

Download Submit
C:\Windows\SysWOW64\Mkgmoncl.exe

Filesize
176KB

MD5
5a25363ebd7cf2c645d1fe9c435cf8d4

SHA1
79a1c5df0fb12a7341b147cea45117d7dd8b4162

SHA256
08d6b3a8d1a37ab32f43d952ed271f94c28d7accd6359eea2f2c383ae19548a9

SHA512
c159d4fa68b23c8daee7ab86ea59eae4879f18fd311cee3b1f8a9ff42b0f2f9784e1c2154406c1c5a674ad6ce4f9788f4b38cf3bfaf56a83a63670f3ccece85b

Download Submit
C:\Windows\SysWOW64\Mklfjm32.exe

Filesize
176KB

MD5
0feeb209353c1c4bbbe7640b6a0a966d

SHA1
5d8922792ff8b70e9711327d0ae0086a4736dfd8

SHA256
e9881f7a71b454649d5ca1e86710de6f531e5fb054a14b094307b519d47de518

SHA512
7aa767091f38e50f1f8f3413365c20bccbe8c800c61ea0c805ec5ddce066c512d5fa0f255841b6731180603d6c1bc8a4de9f156d51ab7391a0fe8061b21905c7

Download Submit
C:\Windows\SysWOW64\Mkocol32.exe

Filesize
176KB

MD5
a7eb6601087bb0ac8d22ea0bd22794ae

SHA1
f8403f5e006ac89ed2e412f38aeac1e4f15eadec

SHA256
a0e4b2d68615f189788f5902339723bfdcd54805b2caa75750e9dd3b311fc5b7

SHA512
fd5fe029af8156ecf69daf2e8daa916c90a87ffca1e5c8ff915932c72636cbea8924d9832137de99774c1f215a50ab8943b7894604a0819166b97cfb6bdc48ee

Download Submit
C:\Windows\SysWOW64\Mohbjkgp.exe

Filesize
176KB

MD5
1eb8c3403e62ce3c86ca3f9440ccc7ea

SHA1
3c6ce64ccd0ccc6303a21ee26d7137aff6376ac9

SHA256
455f7cf6ca2fd254c63a5f8383364fc74ab4649abbd324650fde252d4b4e774e

SHA512
6780f54d19bc1010ee31adf094a5fe3f3d99dbf4d5c4b84feb94d049759a0332ebc840cc99322926f9befd63648a0ff55ec0b2f242bac2a888a8e57f5e7d3f92

Download Submit
C:\Windows\SysWOW64\Nakhaf32.exe

Filesize
176KB

MD5
ebdb95b97fb8f4a89edca333cc09a761

SHA1
6eb7e723916bad3a14b296e98a2db6a3d3035d33

SHA256
6cb0e124679199e6910723c84e4039b31bc9485bc1066a145484f5a11416306b

SHA512
5373801d51b5bbdd37a1629466be1630ea409eaf804f0b09c718c01dd096e0a55ef6b4f600f33b99fa115796f654eb535afc1a3abe77c6b211457c505e7a338f

Download Submit
C:\Windows\SysWOW64\Ncaklhdi.exe

Filesize
176KB

MD5
ad93e4db1eb810ae8da765700f91ab2d

SHA1
a190c46f6a33cc07aa2c08ef883047c0522fa3db

SHA256
0db1b7f8767adae54613fc79af40578d4631776872631ac6bc0ab6a4d2b7806c

SHA512
624398eaf22e14a50d7a40d917f33191049b5bcf107ba12542c91a5c34366f6d26204b88e547be4dc543097b07f73235a54f2216890ff7316aacf56d7dcd8e04

Download Submit
C:\Windows\SysWOW64\Ncjdki32.exe

Filesize
176KB

MD5
f1baea369e6978f6746926849ad5fab3

SHA1
5a9d382f074fc4ded7bac67e519890ae356a48fe

SHA256
b293e12321e7a2d014e68c95c36db89a677113d7d623b00b9123b5c46a7e0f5a

SHA512
1c04ee6ba53cf724a1912a8fd7d489938e7b834bd1958442242f36d0a580d28478dce91ebea01a5fa6687205552caa1515b50cf82e1b609e5143c3d4b195b9ff

Download Submit
C:\Windows\SysWOW64\Nfiagd32.exe

Filesize
176KB

MD5
649774d13b201a67d6952bf45bdb7afd

SHA1
584f798193402c1ea5d0ede83169367d7dae84e4

SHA256
6d93d564cc973974637c39ce9a5fe124aa825929a0391c0d01a52f75337b39f7

SHA512
3d259abe288780bee309313756c5c7390a13ef82fed3ce562bee576c261da9d98c31e21592f9132e88c433ac930380dfd159de42ff2475c68a10c9ff02d5b169

Download Submit
C:\Windows\SysWOW64\Nfknmd32.exe

Filesize
176KB

MD5
2bfb23a552d61fa6b425415d16be13fa

SHA1
c4008964a9dd4e6cd04c2b22780a244019cd6226

SHA256
0e5a566c54bd8330958bbfe69305116fc7cef9ef79c5508a7a4b691e65c6d83f

SHA512
3b036757234765aa7a5890e2f5f1e57fe37db8fafc5ed56bdfc2025cdc0f47fa970477ecfa4219c64732a898b45531db72109ca222d1bc53453952f3b7e329b6

Download Submit
C:\Windows\SysWOW64\Nfnjbdep.exe

Filesize
176KB

MD5
93ecacbc307ab4e565d7535aae9f5447

SHA1
26dd99fa17b7758a9251160bf43c83415960935d

SHA256
39d9e12ead5bfb773d4d4844ae7caa9b4a43db097fa3c672611c768cd4506f59

SHA512
456780252b6bdcbca455f7a041c6d07091abe8dab2f7eca7fad6466a087002f4e11ee36a3ce7b4bce1b1313a52df3ea198118a9f2236918a28d82d29dcd6f123

Download Submit
C:\Windows\SysWOW64\Nhbciqln.exe

Filesize
176KB

MD5
2b499c389c833e8decc6e50c960685ef

SHA1
a3019599995f9a9899945e58e0857364ffc301ff

SHA256
f685ab50cbe5f3b1d880181a78a47aded5d5bbc4e957d2f0568108a76395bac5

SHA512
465756f6652182f8c0c7771fa8c0c4e5f48b2a8899f84c5fa20332accfb99a1eb7cae2576197e8fd0e1cd84e02063a42f62726187cc37dc4fc94f6b565d4b6bf

Download Submit
C:\Windows\SysWOW64\Nkapelka.exe

Filesize
176KB

MD5
33b70b3f268235a892a41dee5da2982f

SHA1
8f0f99afed740d8671903deba4917451bbae54cd

SHA256
a64af9610bd09926b67a8e23dc902945a0f415efe05d8dab26343f753e5e8c32

SHA512
abfebc904124174b98db9e70c2fa8fb9b981f7a55afd0ba52d4d3ea8c75b1f98533c3efb4f89da220c5ddce43441d4e07adaecfc95d1a8977b8758399672fc9d

Download Submit
C:\Windows\SysWOW64\Nkeipk32.exe

Filesize
176KB

MD5
9fc1e3db6b5fa9b35e0ebc373d76718b

SHA1
06e3aaaef803d4194a6072079c51f8c65e507245

SHA256
a4f81f7a4ccc72cdf243137f3fe0163bfbdb2b43d8bf68ec99d03a576f615357

SHA512
9c5eaf99cead61ebe0a31dbd55de9bdb8a0f26ac676162dc7a0a2be752efabd96d4f70fccb75a79e91847bde105295068fce9daf3ce1498de6d5e652737cb3c1

Download Submit
C:\Windows\SysWOW64\Obkahddl.exe

Filesize
176KB

MD5
27aef4bdf6859cf84aca893c642a15ae

SHA1
b66fdbe5c7b2449e8470b04afc387a3f7f67eb6b

SHA256
f1b72957ac983c34760c4431200950312d98432ad70eeb584e4d6da50755f3bd

SHA512
446159d9e9dfde866038f8d9e1a7b1d352875c92671083996deef12411deb337b0c7b12484db16b3c04f198bf1f5924bf444eb96157f281e8ddc7d870a7498da

Download Submit
C:\Windows\SysWOW64\Obnnnc32.exe

Filesize
176KB

MD5
1db4dd90eb2c7934fc23ad34a641f22b

SHA1
ea4ec8b044eae9c3cfe32c196da68fca68d2cc0d

SHA256
8b806b37a5c073c52f43d00dd755b388df4b5fdeb3d20b3dde0b6b9f6df60d4c

SHA512
6471ec4626bf0e3d5bd8aa3bab6ece0d9b86d07e1d6dca9b81b8936d3d031ce580422178fe2e2c1cd51fd72d5a45fe34574823bc8a88f1b5519cc7d43fde0ec4

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
176KB

MD5
b95670f30b98924ebc48e2f0bab0afb5

SHA1
75dc00d3a271f321e5f50c662a456c7c74b6b95e

SHA256
c27bf5fff2b062527b2e1c4e345f5e6b7c29d705750248df866e3b056e874479

SHA512
7610653bbc83a18d0ca888dc049e6cb5ddbeb3e5bdd08c0624c41f62c12cc868b2c9d98fc3596e618ade4f6ada4b992cf1bb2aabd45b53503c1e74616cc2caf3

Download Submit
C:\Windows\SysWOW64\Odjmdocp.exe

Filesize
176KB

MD5
09e2e574b022f56aa401e8d5582c417a

SHA1
f8d1b85cc42c1bcf71d4a86eea274f066475775d

SHA256
42794f758d5bcaa6acc20b9f8a5d7d52710be6907fdc7c073603766b97f79fa4

SHA512
db77c316d18fdc9b337efb8789300da8df57e215e894f992ed34a95f3b8d74db32fce61a1785846bb59b5b2ffaa11e133865f457ec40fb93eb021284dbf864e5

Download Submit
C:\Windows\SysWOW64\Ofbdncaj.exe

Filesize
176KB

MD5
ccd37edcfc4a4cf2ef42792389d51a5a

SHA1
d4fca0a743334f378c54aca5212eaf2f4fb4592d

SHA256
84391d4b2366185f308c691446de64063fe2cf8aaa2b1de9c6faee322a981fc3

SHA512
a123507def6a09f13128f4571ad9e7bd9d2c67cffd9e4720d09c770226b91e3b360941c421ae25f380bc82b5e508ca7369cefacd1fd84dc966b8f252004a6853

Download Submit
C:\Windows\SysWOW64\Okailj32.exe

Filesize
176KB

MD5
b8374e90a22175e1bf0580de17e2568f

SHA1
248da546ea691cd9f8f6a917b45076f8a1bdfc55

SHA256
7d62185b9feadd391cdf62d37599e00f89d2a30351c3726a5965e57e157dadc8

SHA512
ed4b50e66c7db522da92301ccbabf97fcac2a62f6a89b1578fde4325de767695b1c5369849bcebfa78c3c1153eb758aa2940df7b69efa043795063295615cf98

Download Submit
C:\Windows\SysWOW64\Okfbgiij.exe

Filesize
176KB

MD5
c7a0326bf0359696a9438b25f973c0b2

SHA1
e7c249583d7e5126eb0fd97a81ac305c966ec0c0

SHA256
4d9b9bad9eda66a88d3876bef3675fcd3ad4791d658c17f6574609951dd8002c

SHA512
e16adb32a8f36be9f621879ab5b57b16d03cc62f6b557c296aa10fbf85ce7362ee48bdf430f093f2ae5b7de0565d22773f0711a604380a2e2741adb0cc845325

Download Submit
C:\Windows\SysWOW64\Okmpqjad.exe

Filesize
176KB

MD5
e7ed27742a88bb608ef1e077f5119f8a

SHA1
8ef8ad4645ba40264b2dacdbaed70616238967e1

SHA256
bdb2efc66317a4ca519983574e31d8f03cd1374e010fd2c85ecc577b0cb03f6f

SHA512
15830b171af81d16081e8e91b5571e50829fb9afc0ec6b0137a0b3f2ca1c6245c8a6995022f9430c8b77b49482c36a5cbbe57f33369575994a37568c53cb5b64

Download Submit
C:\Windows\SysWOW64\Oljoen32.exe

Filesize
176KB

MD5
3ac0240750d0a1004315c06aa3ca6b0c

SHA1
1568a5914391beef535042878159641a63285864

SHA256
c7ebc15ca614c831410b83499d3495cabb0dee9aba4225c133d8136f8e79d64c

SHA512
b33b94a9deecc493514c5498253fb27fed61fb3158bb0886e03f588fbca9290d4e45b99793054a808ad046f1bb6f7e55645ebdf0ed09e8cae278f95362d5c3a2

Download Submit
C:\Windows\SysWOW64\Ookhfigk.exe

Filesize
176KB

MD5
e51f4d62327bcac116d4f6b256b0c288

SHA1
236adf4d80d25227fe26e62b7d4385d57bc6aca7

SHA256
94e19e904e17441bceae0d5e043d38fa91c842a54a18bee5d45bbff5e52877ff

SHA512
682520867df08cd0ef710a2c5174db29ebb59d0e1177af589e9ad3591abfaa382d99611cd23f38ebb8041cc7eb12e95a3ad6df35956e56051e02dbb504bfa223

Download Submit
C:\Windows\SysWOW64\Oooaah32.exe

Filesize
176KB

MD5
9ccd1f75c0bf08efdf49b623e97dcef4

SHA1
2f84af10a3fee39978e61a769395362631454a3f

SHA256
f70805788f92da6762a966da7e91d879cb79b2cdd160740088ac4e5f226cb3d0

SHA512
2e3801686a0414d74cd82bebf6052c7008962295c37eff32a148d3cc6a14baaf870dbb5fd2cf73907c46e8bd74c2c4ccd0d7596d4e21ddd636a803278598a3b0

Download Submit
C:\Windows\SysWOW64\Pbgqdb32.exe

Filesize
176KB

MD5
965a21013a83d65f28a82453f9b43260

SHA1
2120853a529fbb8409f3ce0348712a3bcb19a170

SHA256
4e957c615fbbf8c0c90f83b5d4e4eeefd0069dce9175e7f17901da2a2732605d

SHA512
ff0ad080a461fc8c59108a2c4251851e34f997c5d4f9e95bd5de4540b5f8a37b6d074b38e896af38d284c0d7878d45c0e90d7541cda6f293cc58637cae06f0c0

Download Submit
C:\Windows\SysWOW64\Pcbdcf32.exe

Filesize
176KB

MD5
0d15994c196a5a00f25cc3d5d70a1fc6

SHA1
a912de3c1c2971c973bd795f4d6e2242d7d47ea8

SHA256
1582de7ba61cc8291ca3461def938584e3b9a351456628fab29d21ea9fc6d3c1

SHA512
6730fee2f3a262f37814a758039545d61ad3e3bd20c8ca652314b8c6c2a225846e009dd87191dd1e5a6a3b1c0b0a5bd3ae3726e348582b2a4c5a6cc39684a73f

Download Submit
C:\Windows\SysWOW64\Pilpfm32.exe

Filesize
176KB

MD5
13ffd7cbec8d59a23c245cf8f4aeff4c

SHA1
9c88b94044a2d0c28908f093f435b1794a3fbb78

SHA256
b219f7c4a7ec828c1d071da49ea98aa70766bacc13ea8d13e829cd708a467995

SHA512
7e5e6f25ddef7c155fd68633dbb12c6f67e37266fda85de80fbce99c922823c81797919c170de6fce1009fae90755bf11f70fc58611d22f56953e2b56fcd9f23

Download Submit
C:\Windows\SysWOW64\Pkholi32.exe

Filesize
176KB

MD5
8322f5359a84d863711faf745db2573c

SHA1
32fb0e7734e47a61a86ba489dbebfefe839b52c5

SHA256
42fff5655e375aa6b69df6d418becb385f368ee27ea9cb6074f9dba8ee856198

SHA512
caa3cc6cef5cfccd0ea75ebd32739806bcf0fcc80cf6b838fc97871021333ba09dff4c3de3fa387c41348779fe7498485812b9a8eca2a7b633d652ca12d9499c

Download Submit
memory/408-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/408-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/636-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/636-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/960-204-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/964-331-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/964-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1080-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1080-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1228-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1228-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1372-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1372-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1988-350-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1988-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2116-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2116-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2224-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2224-357-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2248-343-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2248-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2320-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2320-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2328-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2328-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2552-360-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2552-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2612-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2612-336-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2808-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2808-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2836-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2836-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2956-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2956-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3004-323-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3004-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3172-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3172-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3212-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3212-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3304-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3304-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3372-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3372-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3588-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3588-354-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3616-345-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3616-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3696-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3696-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3752-212-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3876-361-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3876-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4284-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4284-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4320-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4320-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4536-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4536-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4568-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4568-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4688-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4688-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4712-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4712-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4744-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4744-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4748-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4748-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4800-353-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4800-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4804-339-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4804-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4812-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4812-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4964-330-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4964-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4968-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4968-337-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5056-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5056-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5116-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5116-329-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads