8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989N.exe
Size

432KB
MD5

edd8902d49f3bdcc8eff8d4bc9490380
SHA1

4d067c716510181533d0a1353a2363fb4ba98ae2
SHA256

8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989
SHA512

acffbe1a333a001a324926571f189f01c36939a5bdbcba3fa22522faf09999ba8676270bdb1448fd732df372372814dbcf042346fabb508f25a74d5fd6e960c2
SSDEEP

6144:kT1RcHk1W/y9R8FehzXjOYpui6yYPaIGckpyWO63t5YNpui6yYP:qMkI/yHcCzXjOYpV6yYPI3cpV6yYP

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cefoni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lamlphoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cffkhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmnpfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cefoni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cemeoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nakhaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfjllnnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lamlphoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhgdmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mclhjkfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nakhaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bflham32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bedbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciknefmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mclhjkfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohqpjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bedbhi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffkhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmkcpdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfppoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmkcpdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhgdmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfppoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apkjddke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cemeoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aioebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjckkcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjckkcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oooaah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alkeifga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apngjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bflham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfhhml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apngjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odjmdocp.exe

Executes dropped EXE 41 IoCs

pid	Process
32	Lamlphoo.exe
1048	Lhgdmb32.exe
468	Mclhjkfa.exe
3388	Nlnpio32.exe
924	Nakhaf32.exe
1496	Namegfql.exe
3988	Nhgmcp32.exe
3804	Nkjckkcg.exe
1772	Okmpqjad.exe
2436	Ohqpjo32.exe
3084	Odgqopeb.exe
3448	Okailj32.exe
4904	Odjmdocp.exe
2044	Oooaah32.exe
4416	Pcpgmf32.exe
4840	Pfppoa32.exe
4964	Pbimjb32.exe
3876	Qejfkmem.exe
4528	Qmckbjdl.exe
4844	Akihcfid.exe
3648	Alkeifga.exe
4708	Aioebj32.exe
184	Afceko32.exe
3932	Apkjddke.exe
2520	Apngjd32.exe
732	Bfjllnnm.exe
4124	Bflham32.exe
2976	Bbcignbo.exe
5008	Bedbhi32.exe
3960	Cefoni32.exe
3940	Cffkhl32.exe
1116	Cfhhml32.exe
1976	Cemeoh32.exe
3996	Cpcila32.exe
4432	Ciknefmk.exe
5064	Dbcbnlcl.exe
1212	Dpgbgpbe.exe
2792	Dmkcpdao.exe
1832	Dbhlikpf.exe
1244	Dmnpfd32.exe
2080	Dbkhnk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Alkeifga.exe	Akihcfid.exe
File opened for modification	C:\Windows\SysWOW64\Cemeoh32.exe	Cfhhml32.exe
File opened for modification	C:\Windows\SysWOW64\Ciknefmk.exe	Cpcila32.exe
File opened for modification	C:\Windows\SysWOW64\Namegfql.exe	Nakhaf32.exe
File created	C:\Windows\SysWOW64\Pnnggcqk.dll	Pfppoa32.exe
File opened for modification	C:\Windows\SysWOW64\Cffkhl32.exe	Cefoni32.exe
File created	C:\Windows\SysWOW64\Oijflc32.dll	Oooaah32.exe
File created	C:\Windows\SysWOW64\Oihlnd32.dll	Dbcbnlcl.exe
File created	C:\Windows\SysWOW64\Nlnpio32.exe	Mclhjkfa.exe
File created	C:\Windows\SysWOW64\Pfqdbl32.dll	Nakhaf32.exe
File created	C:\Windows\SysWOW64\Oooaah32.exe	Odjmdocp.exe
File created	C:\Windows\SysWOW64\Nmdlch32.dll	Lamlphoo.exe
File created	C:\Windows\SysWOW64\Efiopa32.dll	Bbcignbo.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dmnpfd32.exe
File opened for modification	C:\Windows\SysWOW64\Odjmdocp.exe	Okailj32.exe
File created	C:\Windows\SysWOW64\Pcpgmf32.exe	Oooaah32.exe
File opened for modification	C:\Windows\SysWOW64\Pfppoa32.exe	Pcpgmf32.exe
File created	C:\Windows\SysWOW64\Cffkhl32.exe	Cefoni32.exe
File created	C:\Windows\SysWOW64\Cfhhml32.exe	Cffkhl32.exe
File created	C:\Windows\SysWOW64\Namegfql.exe	Nakhaf32.exe
File opened for modification	C:\Windows\SysWOW64\Nhgmcp32.exe	Namegfql.exe
File created	C:\Windows\SysWOW64\Kpmmhc32.dll	Okmpqjad.exe
File opened for modification	C:\Windows\SysWOW64\Dpgbgpbe.exe	Dbcbnlcl.exe
File created	C:\Windows\SysWOW64\Dpkgac32.dll	Dbhlikpf.exe
File opened for modification	C:\Windows\SysWOW64\Bedbhi32.exe	Bbcignbo.exe
File created	C:\Windows\SysWOW64\Qmckbjdl.exe	Qejfkmem.exe
File opened for modification	C:\Windows\SysWOW64\Afceko32.exe	Aioebj32.exe
File created	C:\Windows\SysWOW64\Bedbhi32.exe	Bbcignbo.exe
File created	C:\Windows\SysWOW64\Ipiddlhk.dll	Nlnpio32.exe
File opened for modification	C:\Windows\SysWOW64\Akihcfid.exe	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Apkjddke.exe	Afceko32.exe
File opened for modification	C:\Windows\SysWOW64\Pbimjb32.exe	Pfppoa32.exe
File created	C:\Windows\SysWOW64\Pkjdhm32.dll	Alkeifga.exe
File created	C:\Windows\SysWOW64\Bfjllnnm.exe	Apngjd32.exe
File opened for modification	C:\Windows\SysWOW64\Lamlphoo.exe	8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989N.exe
File created	C:\Windows\SysWOW64\Pjijdf32.dll	8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989N.exe
File created	C:\Windows\SysWOW64\Mclhjkfa.exe	Lhgdmb32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhhml32.exe	Cffkhl32.exe
File opened for modification	C:\Windows\SysWOW64\Lhgdmb32.exe	Lamlphoo.exe
File opened for modification	C:\Windows\SysWOW64\Pcpgmf32.exe	Oooaah32.exe
File created	C:\Windows\SysWOW64\Conllp32.dll	Pbimjb32.exe
File created	C:\Windows\SysWOW64\Qejfkmem.exe	Pbimjb32.exe
File opened for modification	C:\Windows\SysWOW64\Qejfkmem.exe	Pbimjb32.exe
File created	C:\Windows\SysWOW64\Lhgdmb32.exe	Lamlphoo.exe
File opened for modification	C:\Windows\SysWOW64\Ohqpjo32.exe	Okmpqjad.exe
File created	C:\Windows\SysWOW64\Pfppoa32.exe	Pcpgmf32.exe
File opened for modification	C:\Windows\SysWOW64\Nlnpio32.exe	Mclhjkfa.exe
File created	C:\Windows\SysWOW64\Alkeifga.exe	Akihcfid.exe
File created	C:\Windows\SysWOW64\Pbimjb32.exe	Pfppoa32.exe
File opened for modification	C:\Windows\SysWOW64\Cpcila32.exe	Cemeoh32.exe
File created	C:\Windows\SysWOW64\Dkakfgoq.dll	Ciknefmk.exe
File created	C:\Windows\SysWOW64\Hjnmfk32.dll	Mclhjkfa.exe
File created	C:\Windows\SysWOW64\Nhgmcp32.exe	Namegfql.exe
File created	C:\Windows\SysWOW64\Nbfndd32.dll	Odgqopeb.exe
File opened for modification	C:\Windows\SysWOW64\Aioebj32.exe	Alkeifga.exe
File created	C:\Windows\SysWOW64\Mfppnk32.dll	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Apngjd32.exe	Apkjddke.exe
File created	C:\Windows\SysWOW64\Mqkbjk32.dll	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Afceko32.exe	Aioebj32.exe
File created	C:\Windows\SysWOW64\Kdogqi32.dll	Apkjddke.exe
File created	C:\Windows\SysWOW64\Okmpqjad.exe	Nkjckkcg.exe
File opened for modification	C:\Windows\SysWOW64\Bbcignbo.exe	Bflham32.exe
File created	C:\Windows\SysWOW64\Pdkpjeba.dll	Cemeoh32.exe
File opened for modification	C:\Windows\SysWOW64\Bfjllnnm.exe	Apngjd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4276	2080	WerFault.exe	129

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qejfkmem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afceko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apngjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Namegfql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgqopeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bedbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbcbnlcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nakhaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akihcfid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alkeifga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cemeoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpgbgpbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnpio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffkhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhhml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciknefmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmkcpdao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okailj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhgmcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cefoni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcila32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmnpfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mclhjkfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfppoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apkjddke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oooaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgdmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjmdocp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbimjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bflham32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lamlphoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjckkcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okmpqjad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohqpjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfjllnnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbcignbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhlikpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989N.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcpgmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Alkeifga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Okailj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bflham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmiikpek.dll"	Cfhhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmnpfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhgdmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfppoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbimjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdlch32.dll"	Lamlphoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnmfk32.dll"	Mclhjkfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afceko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apkjddke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmlbk32.dll"	Lhgdmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mclhjkfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipiddlhk.dll"	Nlnpio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmiie32.dll"	Afceko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apkjddke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joboincl.dll"	Nkjckkcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmglfe32.dll"	Bfjllnnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cemeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aioebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdphmfph.dll"	Apngjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfppnk32.dll"	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqkbjk32.dll"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbcignbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ciknefmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkakfgoq.dll"	Ciknefmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpldj32.dll"	Ohqpjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijflc32.dll"	Oooaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fobkem32.dll"	Aioebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iojghflb.dll"	Cpcila32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmkcpdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfppoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Akihcfid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cefoni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkpjeba.dll"	Cemeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Alkeifga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpcila32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlnpio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgfaf32.dll"	Namegfql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ohqpjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbfndd32.dll"	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cefoni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 32	3720	8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989N.exe	89
PID 3720 wrote to memory of 32	3720	8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989N.exe	89
PID 3720 wrote to memory of 32	3720	8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989N.exe	89
PID 32 wrote to memory of 1048	32	Lamlphoo.exe	90
PID 32 wrote to memory of 1048	32	Lamlphoo.exe	90
PID 32 wrote to memory of 1048	32	Lamlphoo.exe	90
PID 1048 wrote to memory of 468	1048	Lhgdmb32.exe	91
PID 1048 wrote to memory of 468	1048	Lhgdmb32.exe	91
PID 1048 wrote to memory of 468	1048	Lhgdmb32.exe	91
PID 468 wrote to memory of 3388	468	Mclhjkfa.exe	92
PID 468 wrote to memory of 3388	468	Mclhjkfa.exe	92
PID 468 wrote to memory of 3388	468	Mclhjkfa.exe	92
PID 3388 wrote to memory of 924	3388	Nlnpio32.exe	93
PID 3388 wrote to memory of 924	3388	Nlnpio32.exe	93
PID 3388 wrote to memory of 924	3388	Nlnpio32.exe	93
PID 924 wrote to memory of 1496	924	Nakhaf32.exe	94
PID 924 wrote to memory of 1496	924	Nakhaf32.exe	94
PID 924 wrote to memory of 1496	924	Nakhaf32.exe	94
PID 1496 wrote to memory of 3988	1496	Namegfql.exe	95
PID 1496 wrote to memory of 3988	1496	Namegfql.exe	95
PID 1496 wrote to memory of 3988	1496	Namegfql.exe	95
PID 3988 wrote to memory of 3804	3988	Nhgmcp32.exe	96
PID 3988 wrote to memory of 3804	3988	Nhgmcp32.exe	96
PID 3988 wrote to memory of 3804	3988	Nhgmcp32.exe	96
PID 3804 wrote to memory of 1772	3804	Nkjckkcg.exe	97
PID 3804 wrote to memory of 1772	3804	Nkjckkcg.exe	97
PID 3804 wrote to memory of 1772	3804	Nkjckkcg.exe	97
PID 1772 wrote to memory of 2436	1772	Okmpqjad.exe	98
PID 1772 wrote to memory of 2436	1772	Okmpqjad.exe	98
PID 1772 wrote to memory of 2436	1772	Okmpqjad.exe	98
PID 2436 wrote to memory of 3084	2436	Ohqpjo32.exe	99
PID 2436 wrote to memory of 3084	2436	Ohqpjo32.exe	99
PID 2436 wrote to memory of 3084	2436	Ohqpjo32.exe	99
PID 3084 wrote to memory of 3448	3084	Odgqopeb.exe	100
PID 3084 wrote to memory of 3448	3084	Odgqopeb.exe	100
PID 3084 wrote to memory of 3448	3084	Odgqopeb.exe	100
PID 3448 wrote to memory of 4904	3448	Okailj32.exe	101
PID 3448 wrote to memory of 4904	3448	Okailj32.exe	101
PID 3448 wrote to memory of 4904	3448	Okailj32.exe	101
PID 4904 wrote to memory of 2044	4904	Odjmdocp.exe	102
PID 4904 wrote to memory of 2044	4904	Odjmdocp.exe	102
PID 4904 wrote to memory of 2044	4904	Odjmdocp.exe	102
PID 2044 wrote to memory of 4416	2044	Oooaah32.exe	103
PID 2044 wrote to memory of 4416	2044	Oooaah32.exe	103
PID 2044 wrote to memory of 4416	2044	Oooaah32.exe	103
PID 4416 wrote to memory of 4840	4416	Pcpgmf32.exe	104
PID 4416 wrote to memory of 4840	4416	Pcpgmf32.exe	104
PID 4416 wrote to memory of 4840	4416	Pcpgmf32.exe	104
PID 4840 wrote to memory of 4964	4840	Pfppoa32.exe	105
PID 4840 wrote to memory of 4964	4840	Pfppoa32.exe	105
PID 4840 wrote to memory of 4964	4840	Pfppoa32.exe	105
PID 4964 wrote to memory of 3876	4964	Pbimjb32.exe	106
PID 4964 wrote to memory of 3876	4964	Pbimjb32.exe	106
PID 4964 wrote to memory of 3876	4964	Pbimjb32.exe	106
PID 3876 wrote to memory of 4528	3876	Qejfkmem.exe	107
PID 3876 wrote to memory of 4528	3876	Qejfkmem.exe	107
PID 3876 wrote to memory of 4528	3876	Qejfkmem.exe	107
PID 4528 wrote to memory of 4844	4528	Qmckbjdl.exe	108
PID 4528 wrote to memory of 4844	4528	Qmckbjdl.exe	108
PID 4528 wrote to memory of 4844	4528	Qmckbjdl.exe	108
PID 4844 wrote to memory of 3648	4844	Akihcfid.exe	109
PID 4844 wrote to memory of 3648	4844	Akihcfid.exe	109
PID 4844 wrote to memory of 3648	4844	Akihcfid.exe	109
PID 3648 wrote to memory of 4708	3648	Alkeifga.exe	110

C:\Users\Admin\AppData\Local\Temp\8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989N.exe
"C:\Users\Admin\AppData\Local\Temp\8ace192469258fa68e6b135b18957ba1394af3fab5faba4aed1877c0864fc989N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\SysWOW64\Lamlphoo.exe
  C:\Windows\system32\Lamlphoo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\SysWOW64\Lhgdmb32.exe
    C:\Windows\system32\Lhgdmb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\SysWOW64\Mclhjkfa.exe
      C:\Windows\system32\Mclhjkfa.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:468
    - - C:\Windows\SysWOW64\Nlnpio32.exe
        
        C:\Windows\system32\Nlnpio32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
      - C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Namegfql.exe
        
        C:\Windows\system32\Namegfql.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Oooaah32.exe
        
        C:\Windows\system32\Oooaah32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Pbimjb32.exe
        
        C:\Windows\system32\Pbimjb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Alkeifga.exe
        
        C:\Windows\system32\Alkeifga.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Aioebj32.exe
        
        C:\Windows\system32\Aioebj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Afceko32.exe
        
        C:\Windows\system32\Afceko32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:184
        
        C:\Windows\SysWOW64\Apkjddke.exe
        
        C:\Windows\system32\Apkjddke.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Apngjd32.exe
        
        C:\Windows\system32\Apngjd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Bfjllnnm.exe
        
        C:\Windows\system32\Bfjllnnm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Bflham32.exe
        
        C:\Windows\system32\Bflham32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Bedbhi32.exe
        
        C:\Windows\system32\Bedbhi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\Cefoni32.exe
        
        C:\Windows\system32\Cefoni32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Cffkhl32.exe
        
        C:\Windows\system32\Cffkhl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\Cfhhml32.exe
        
        C:\Windows\system32\Cfhhml32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Cemeoh32.exe
        
        C:\Windows\system32\Cemeoh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Dbcbnlcl.exe
        
        C:\Windows\system32\Dbcbnlcl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 412
        43⤵
        Program crash
        
        PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2080 -ip 2080
1⤵
PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
1⤵
PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afceko32.exe

Filesize
432KB

MD5
e8b18b5eb7de070ffca058b92fd491f4

SHA1
882dcf6b3ea031e2cc5a53faacafbc05706dfd21

SHA256
df789b6b3c86aee993307d61fb58fc0d711fe7bc8ed8cf9962e68f5cce3fd347

SHA512
95e19c43261349086ccd2a97c712fdf8cebfcdfc83f1d0a519fc29af0f5f579de702d00acee2059fdf90a5d71a7689a7749a1f561f56b40c13dd0d7074ad2a83

Download Submit
C:\Windows\SysWOW64\Aioebj32.exe

Filesize
256KB

MD5
a9f97c71ed41a4d0b0c63674c0efc300

SHA1
37faa9f194336d747bc67591eda1ab6527af7800

SHA256
9c113c064c8b54fe490b19f71d94f94aa67bc39c09dd556fdac0bf7d803b4a9b

SHA512
a20664e57c92d773c4e15eb5cea75f825cdd554869267eeba2edf1f0634ebfb6476d0cb7d7f79310d2be59e8a86be2c0b4d2b5a0b2ef2c373fd581275b4fc80c

Download Submit
C:\Windows\SysWOW64\Aioebj32.exe

Filesize
432KB

MD5
0e5fb4ced85911c1627208cac1930482

SHA1
59afcbdae91ae4085192858721bcfd15b890c39c

SHA256
b784128d0e63a4e2c2c60152dc7e5cc18fee09ca2df491d9ad285a345c646e9d

SHA512
b6ae8fe2a1115888a2240990651e38340a2ffab37849898549371554b67739c126d87c48cd8e345bc200c0e165eaa15c7fc606b94340656bfc679f736aff1e26

Download Submit
C:\Windows\SysWOW64\Akihcfid.exe

Filesize
432KB

MD5
7bbb6441c697948db0c7c8c4f8d05ace

SHA1
4fb4096b682d6e9817d74b6b1c13e4e20b0941f7

SHA256
aff24d333573981eaef7f2bd6d4acaa8643fddf194330f1ad034b6bdd16e784c

SHA512
48d023d8211841b2f2b06d584bbda4baf31dad9bb6a33234c64fb7e1c6daa94144f02adc22c963ec3c40867865365490ce1ff8eec1d76d0b9f137c2fe8dbcbe2

Download Submit
C:\Windows\SysWOW64\Alkeifga.exe

Filesize
432KB

MD5
4f4bed0e8f8b81c742073531d8332233

SHA1
0cf9e46e88d52e661ad369db5d81b0efaa59e829

SHA256
abc0e6b04004a1c66d22e75c086d5eecf0bfecff76718aacf055b3e17cbb61dd

SHA512
fab7a5fc7094a6e9d807da4562559db14242c9633388eb572d3df30e387b85a7c15cc65e60d0d34d04796a06f31971c13894a295c9edf369359d87ae929c75db

Download Submit
C:\Windows\SysWOW64\Apkjddke.exe

Filesize
432KB

MD5
0a88174b8695aa30093029572171aac1

SHA1
1f95e683a50b788f76bd74965eb041505b5791e1

SHA256
1356b95c1a3fe3f69aa9ac98e2f91a6732ddab8a5b2cacfdf2582f52955c71e2

SHA512
2055cecd7feb2686bc8742956a40eed788357abc28d276ea3e9d456236efdc9883460fbff83c7d34e3172a3f749e9f6fe295c5dbcd9aa7b6fd6be9173a1f379c

Download Submit
C:\Windows\SysWOW64\Apngjd32.exe

Filesize
432KB

MD5
4c1e07c2a35bcbb81a9b78b37e26018e

SHA1
7744826e0d8a648f8c1bba4b548ece87762ad635

SHA256
c299cc4b92e55db72f0d08c3d933c896166744397efbd2ccf945bf624646f548

SHA512
e37de6d51d89cce48a331992f19cafac37f5c7e851558a9e4ad9739d7cde1278b6c9decc843939529e55834939e7e1284000d0255078ee2c3476e359b74f9669

Download Submit
C:\Windows\SysWOW64\Bbcignbo.exe

Filesize
432KB

MD5
ef0d45de441d07fca38c97ff463f6198

SHA1
dbba6df5c05cdbb3098c1b8dbca4e15d33e68770

SHA256
8d1f9be54195fc91b3a1af925f2abc615da4b022252c0db2a93b2936507c30a3

SHA512
cb4f99e5fcde5a81e7dd14b1d864419341e56509c88292ed0ff461308789fe5a3bbc637b53b23dbecf0c46724ea5d1f3bcd16680e52736ef9dc0c9ff6091f089

Download Submit
C:\Windows\SysWOW64\Bedbhi32.exe

Filesize
432KB

MD5
4093199b36f98a5ab8f2702d65031b98

SHA1
fc33bfdcf241fc66685f7dd2611d39636885821e

SHA256
a18f89488d920d2ad85569c1fee46928b57535eedbf83704bdd6210ab5b4fd51

SHA512
7300806944ab7308cb4b07dee9d722af4d30e696196597361cb28f783125d94c5fb067594bfd680accd922846a93b59f9b9436f3597b34fc66a6975902070889

Download Submit
C:\Windows\SysWOW64\Bfjllnnm.exe

Filesize
432KB

MD5
2cd4fd36de7a8760dab51c165127fcc6

SHA1
16789b21d9c851dfcfd216340eb757485081fc11

SHA256
fa2f65b8d15a7bc558d84afc53729804066b7e61ba52435cea43e2b9b45ea0e7

SHA512
ff88f809f0d0ded685bf59eb9ae8388cf6ddb5b138b9abd127ad84a8db41cee2b0e9f1d5e876b1b82dc45ef22913dc853d65dd086cd54269b2d09d63743553c9

Download Submit
C:\Windows\SysWOW64\Bflham32.exe

Filesize
432KB

MD5
7c2592bf8f7a1d3c8877ba8b95d7e49b

SHA1
504ba98f5facb52d3291af77be0b4a7018f9f5d7

SHA256
2b8a13dac816f7b06eaeb5af94fd8457e17570708231409ed888e6711e0c079f

SHA512
2e0ff04f34abb587b4c382978fa4407cf16da101e62d280c08969ae9db2fadad05cb87e2dae19ad2e1649ef4af6fc3c6133d2173fab1a3195524551b1064dfd9

Download Submit
C:\Windows\SysWOW64\Cefoni32.exe

Filesize
432KB

MD5
57a8aaaf531f6ea4f88ac8c8765110f4

SHA1
8b30826901daa4fe065a133447d0420ec720fd7f

SHA256
6133395f3eba038b2a193db4f075364edb70497d5b0e4609243a7686e5f55c80

SHA512
54c9081668a54c30759998c8cc2e190596c773ce3693d8fced54c5d4bb2d5a0ac479611f637c9a47124d422feb6ae7632da71455c843be149f8e5e35a8fbcfbd

Download Submit
C:\Windows\SysWOW64\Cffkhl32.exe

Filesize
432KB

MD5
0acff21bc968cb96bf6841b39c4ef2a5

SHA1
82334656b1ab0c1056dfda0d5e0700006dd6c9bf

SHA256
97b4ad69e7e207c41fc1657ac32dc2455a59cb89e01f5b039b2b3f4d42b8955d

SHA512
eba6a42e4c30c71724151755bbce74e4fc31781d1c51880355ef6f34147d66b6a54b1ced862e6dede1629d9c76619081e12a5dec374aaf145fd2d1b4927fbf45

Download Submit
C:\Windows\SysWOW64\Cfhhml32.exe

Filesize
432KB

MD5
d0ec194124aa058e1a6c8edb43561032

SHA1
b0b4ee4429d066c2bc2d2edd0b78ca41b556ba6b

SHA256
b62932c5d98ae9047d545c1b113f17a8edd0429be177a7951ba28b513a800b01

SHA512
dcebb50ca6f21ef4b21bc7cf7eee4f8ce2f71f7e97947925d75ef2950a8e9f762673bec0d9811a2dc0123dee76944e43f754d81446d487eb03dfc3093a825677

Download Submit
C:\Windows\SysWOW64\Ciknefmk.exe

Filesize
432KB

MD5
b5a9c949ecc8cafb9a90ffa71d08bedc

SHA1
ffdd72b8418f46add9ccddc5aac391b52b62e4f5

SHA256
b910659402075971ec04d86ed8131a930d066955b4ced03723e2d4cfd8aeb6f0

SHA512
c1c887b1610016267aefdfd69e6569d81f27f26133a8a158e9a204590f866cb01575298da5ae0591cfd04be18afd2ac2edce1e4a1745d5edc2c3079e7c921cba

Download Submit
C:\Windows\SysWOW64\Dpgbgpbe.exe

Filesize
432KB

MD5
bae7142dcd98dbb54a734acbb2632c43

SHA1
7b9718905652cb43543256b537af6c061b8e9314

SHA256
ffc9bae16e8b527a6a4f6b91908c74b6ea9a90c163d7c2dd0b8f4119a4ce3ae5

SHA512
4dd73da060dfddfb20900e752bdc232b0476de1ca67ec770a7e67cf9c573cfb8ee35476b8f974c75bc41fadf344470d78cff6e030fe34f8f1f27e098ac06b472

Download Submit
C:\Windows\SysWOW64\Ipiddlhk.dll

Filesize
7KB

MD5
02b895cf1d0f883305aaf43e41c9e8a6

SHA1
3065e46cf629e0bfa04938a522afb1fa7351f2a8

SHA256
f94873819cd8c2b6c7dec6f9df917436ca6e3eb22c16957a99d7a6ff3b4bb64f

SHA512
0164c2b649b915f265d09aaac70969e5226a1c62134285cb005b7894376aa6d12a98452f31ffd325b9b363e292d9476c3f9a592fdcacb93eb0fa6e5e98a62105

Download Submit
C:\Windows\SysWOW64\Lamlphoo.exe

Filesize
432KB

MD5
8489a3aff77ac59db57757aeb07daa95

SHA1
3460ac0bc4cfc99a42228a81ca9cf6b3af7ef050

SHA256
1b11e408b7db4e8d2463d6374ddb066019caee1d6f292464335006c7e30e2d27

SHA512
0260946d5ebafa873903a7cff214e1bb9d3a459ff215e18521953534ec4c83e6cd181e37b646e29f38c4133f77230ade30a61996b87bc6240aa324dcaed114db

Download Submit
C:\Windows\SysWOW64\Lhgdmb32.exe

Filesize
432KB

MD5
ce1355e2329fcd89d996b8da103b5528

SHA1
6535b4c565b653c11ba7f8e61dae753146a68cee

SHA256
d71d2ed9a6c7478633c47d1c6e6ca06571b3e12f624fcfe4d63e4d85146c882d

SHA512
f7e733004114d6711623ab6687af03bd8bdbc9458be2cf542414288ccc0128adc571e96d86db970bd3ed89bf8b660a28d7b5eeaac5de0f1b7b2e3b0f80212487

Download Submit
C:\Windows\SysWOW64\Mclhjkfa.exe

Filesize
432KB

MD5
130519734ad7c0f9703e81f1e8326b38

SHA1
4a669b0e94d50eeebdf2b6b85e284ddefc51df11

SHA256
d43f98379322d6abdafa2ee876e353cdf5b04f21aeb84d91a847a536f7a54e67

SHA512
2825a245cc47ac68b12b10d61dd87a283fa1c4d3e597c89f5442d275c1c56fc934b696277014e83b2e786e8b56fd0209dfcb5ce5b9270fe0d121d60c02984677

Download Submit
C:\Windows\SysWOW64\Nakhaf32.exe

Filesize
432KB

MD5
c98f9f1e6a2a072182644232943db08a

SHA1
36bd9cd8401613ec7d2a8fe8afc7e4ebcf0896a2

SHA256
c76076bc5f4a9193a5032542985425320933f12de40c38b52192c0f0095f6c04

SHA512
21de90f550f880ed2db07dc53b8bc57eda40bc7572d779ef8fb32089ea0baf680a8bea58b5dbd7bf7efc1d961d508e0cfe5f583c7d455e8467d05fde0039d0f1

Download Submit
C:\Windows\SysWOW64\Namegfql.exe

Filesize
432KB

MD5
225fef2f5f586aeb2d91b72aef8e95c5

SHA1
76415c7193ed0268d1f120e617e7c2f7cf95f818

SHA256
b42b3e917fedb1e4d3f3e5ca541ef3f5817d220a286406a0d82fa31bad38b756

SHA512
11eebd5c595fe502f6e48535de6cc039784d75d89ddad81620d0ba0b22f8f4c1ae2c1c4efad4801370033bbaf82cda01551f993505b3da33776e26567f6dd479

Download Submit
C:\Windows\SysWOW64\Nhgmcp32.exe

Filesize
432KB

MD5
55ea7a6f3efae5da506913c147c60fa7

SHA1
c7ee00d108da30d7f53b5f17ab777d71bacd2d72

SHA256
864cb458f4b6350d34c78b04b88c333eb68157f1316a3fa1cd15b302e60e9780

SHA512
f6c4aa2bfd8678a147923a951c444a9e11ff0a8e860ffb56e19e51a15329b2d7462c60f4303b0d886b792c50392caa44b625cb0762768fe032831d47197c8e0f

Download Submit
C:\Windows\SysWOW64\Nkjckkcg.exe

Filesize
432KB

MD5
5dd0b7a160deb82ddcd19f9e4b45e274

SHA1
908e804821325c02f804d4948df5e02875f0e96c

SHA256
e951e8784a4c91ad1e0b1f58ca4c7ecf49fc2905c79ffb5d8185be2ef0c61469

SHA512
5d3a6041a71586ad4e5ecaccfde1cd13eaaad93492824696d2d1346c692be2b2feb92111ce36181a02c09fa36225de9d37732bc1d70e8e8737f27fd2e6839346

Download Submit
C:\Windows\SysWOW64\Nlnpio32.exe

Filesize
432KB

MD5
b9387f727e0f79c728a7dd6f11f91c18

SHA1
ea155ddfb86d8cbc70df8b91d7613d2e197ce24f

SHA256
b0db5a8fb23d013a81bf2b65285ab354f8e43b8bf91dc607419534c8c3830aee

SHA512
5b0c6b7c59a1ea2a207fd13201f5ad7b8600a9ef48b51491e82a01adf5b8b35f0c092808b749fc2232b3871a339e660d9ef06b3cc1131987077479fc10c8ef26

Download Submit
C:\Windows\SysWOW64\Odgqopeb.exe

Filesize
432KB

MD5
283d00e435664df84cc2c1ca6913f4e5

SHA1
4ea8842dfc83377a8ed4adc9c34368ab25ed560e

SHA256
06864464c2b6ced43b4b470dd911da75d2eadec3add1c1c151dc6af008bd99cd

SHA512
7d3d6d63837ee17b646ecd2908103ee46396124b4ff0ed4e90b1a4e46d0ea38c324a2ff12db77fcb0f05c9af0268f31d0cdd1811048134e7dea3c25c43b1c12c

Download Submit
C:\Windows\SysWOW64\Odjmdocp.exe

Filesize
432KB

MD5
6be080ba37d641841bc3437c34fb412d

SHA1
d96943ca5e6490c9f22257e4ba989b36edbdc68d

SHA256
10bf247f3b031331f3b639c468152e8d97735aa4425d9714dc43c616ca913227

SHA512
687f51a45d42749dbcfbd404d5d1038084bc1e9bc976a2c9375b3b5dbe3b715fea23394cc72db926957668f1f2100bdb7eb83451b780c2aa8b1b3532007a65ab

Download Submit
C:\Windows\SysWOW64\Ohqpjo32.exe

Filesize
432KB

MD5
96d30f234fd93e170a6b46b38710d0e0

SHA1
c5a0b7d734ae31ce056c033581918ab2d01fd6fb

SHA256
26df03e3b937b45e3deaa4cc9b89d3bb17e2fac47dc3f8498632dd5179eb6e28

SHA512
5242b166801433503b45d3d21b3732a861c02b3c23a773a7972598acbf40fdc5818cf0a559b1bdb218b47eae2652e8accf78965dd1d862af034fe5da2fa2f54d

Download Submit
C:\Windows\SysWOW64\Okailj32.exe

Filesize
432KB

MD5
178e726e238bcf58370e366903714c24

SHA1
15d629af342eb0bb87a2da46694c10c03d46d234

SHA256
f9a148099b9d0b155a6211f995306bdf6c4d93396aeb67ddd609686163b8f86d

SHA512
a9e0993699c794e0dd3ce79c93c4a41c7d946b440b0eb4fa46cd9d00ff200856adc942c40fe7bea4f169dec523183cbf229ee6db092343dc846ca968e1a4b3cb

Download Submit
C:\Windows\SysWOW64\Okmpqjad.exe

Filesize
432KB

MD5
2d6894b359d3c7965a92dceae1a79903

SHA1
cd163525143a7501e372a989a5ffa4747c49038e

SHA256
9e1f396520a9304ffce871a62a7848d792953b5ef3f91affaff529b41573c29b

SHA512
d8222de004744fc6566e15496976e1febd926d379b6ee89f175c44444fdb581486c3ea6993f2a47dab47895a37bf0aa69fe87b071bc7e2f05dbefd10fdbaf7bc

Download Submit
C:\Windows\SysWOW64\Oooaah32.exe

Filesize
432KB

MD5
85b674eb5c6e044adef59b6deb66dbaf

SHA1
e617fa696e3237b5b5ce3a6e7b644c764e8aa3eb

SHA256
6e558fe27230925bbd1456eaee854be251d99ba017ebe8876e0207c829e0347a

SHA512
ffcf66f002297c92659dab120e7dc41af5f6a07ba1c349bb8f361eb1d8227a722be8e666b6351def2add8e675fe0f4d91ecc1a31ef7a9bbe7c22416d3dc6590c

Download Submit
C:\Windows\SysWOW64\Pbimjb32.exe

Filesize
432KB

MD5
f1584ce3586fcf56d64821dbc9110847

SHA1
6679b31a558215d63f02f41c19b0662518b4d4af

SHA256
db0f58a01d5ea3679708fe559f37bde3c7324cc17aa23224728ca01c4b818b8c

SHA512
91e1514d71bbe816cd15e887a834f6affc42246cd7c1831d5b29e5f5b8b2373d33820e85f25ffc716eb6072265783599b9e14ca888fe2bb97ea9329347bbdfcf

Download Submit
C:\Windows\SysWOW64\Pcpgmf32.exe

Filesize
432KB

MD5
89de32ff6889d74928264a03b2bf66d4

SHA1
4ecdf25f10d0be7e2fa3401f5f08c6dc85e69d4a

SHA256
b177558bc0a3d9f8fb28382aef28c536f3e52d3f8ec67ae5468207a479da614c

SHA512
3518b68703a81ef1b5113af91743717728653f66e24154732aa029992b95abeb9b40b79e6752f9d3000a4730c76303092ca5af9f3736f9c8e3bfa048644dd65e

Download Submit
C:\Windows\SysWOW64\Pfppoa32.exe

Filesize
432KB

MD5
3ce0a7ea7d25aeca1e19da78e3ab6073

SHA1
36b7a89d30e358be142b789cb6f0c413e1919ee6

SHA256
7c0471bcce5137628e2b169b1b6d75886575a346166cf62d676cabb2d339c038

SHA512
42faecbfaeefbed85bfc52dc6637a19a90e4acb0b85e62583434ccc828d6e78d10b88f74df42314cf463329faa804607601438d8430443ad434c3e40232b59e8

Download Submit
C:\Windows\SysWOW64\Qejfkmem.exe

Filesize
432KB

MD5
786f11db79c562048df91745f5dcbab5

SHA1
93822d8bae25a4af0654c4603792c811a973a908

SHA256
4330ec9a65d70aea49dd30877e04a2156e5f9de4bb2b2bb804689c3233bc3282

SHA512
3b5f505d9376a214b846512fa10c6b07a529df637efbc1b3013ceaccc9342b62d30d95ba0c59b1ec4832e68e9f65203dcea571ced044ebcbeb2879a7a5a06a3c

Download Submit
C:\Windows\SysWOW64\Qmckbjdl.exe

Filesize
432KB

MD5
d4bec50cd00a0e78931019dec9c93fdf

SHA1
40e5abf406d8ad10a173e7c25278f6962d4204ba

SHA256
bc79d8acf21f03ba37437905ab7833daf9137b70cc4b4b9023efa0d4dd820d01

SHA512
4c78f26aca47d47c4c88ef128156a25322ec3505b34361fdece876e1fb2b5951faf55692d8a56869ebb8041a2ae630a832b777f2dc93b8999df61b45e39b4bbd

Download Submit
memory/32-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/32-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/184-193-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/184-281-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/468-110-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/468-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/732-302-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/732-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/924-123-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/924-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1048-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1116-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1116-348-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1212-344-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1212-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1244-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1244-331-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1496-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1496-132-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1772-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1772-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-324-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1976-347-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1976-282-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2044-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2044-115-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-338-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2520-211-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2520-295-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2792-317-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2792-342-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2976-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2976-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3084-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3388-114-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3388-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3448-102-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3648-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3648-264-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3720-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3720-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3804-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3804-150-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3876-237-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3876-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3932-202-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3932-288-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3940-265-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3940-337-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3960-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3960-330-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3988-141-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3988-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3996-289-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3996-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4124-309-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4124-229-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4416-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4416-210-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4432-296-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4432-345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4528-246-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4528-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4708-273-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4708-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4840-219-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4840-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4844-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4844-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4904-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4964-228-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4964-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5008-323-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5008-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5064-343-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5064-303-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads