6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3N.exe
Size

56KB
MD5

75836f3f94f73797a401460e92e99020
SHA1

f5b06cf62d793168e771fcda1b194dd292807010
SHA256

6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3
SHA512

62873452bc5dbfd0248db124a0c1a2e0ea3e778741d38fb645a8d322298167732f3950d08c48acf5fa5f6caaaad467de367d3fa9492db243e98551869109154d
SSDEEP

1536:+TNY+1B7SYs1dnZR8DXVeCzvGV8g2rSv9glC:AND6YmNZgFeCCVcre9gI

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olebgfao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndqkleln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olpilg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjkgjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaajei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfjann32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmkplgnq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbafdlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppnnai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbafdlod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnnai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnild32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaajei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfkeokjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgjnhaco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phnpagdp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbflno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndqkleln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcecbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnild32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgjnhaco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmkplgnq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olebgfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjkgjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lohccp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oabkom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkeokjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lohccp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Offmipej.exe

Executes dropped EXE 54 IoCs

pid	Process
2348	Kdnild32.exe
2336	Kaajei32.exe
2968	Kcecbq32.exe
2692	Kgclio32.exe
2656	Lonpma32.exe
2068	Lfkeokjp.exe
2592	Lbafdlod.exe
2672	Lohccp32.exe
1376	Lddlkg32.exe
1128	Mfjann32.exe
1064	Mgjnhaco.exe
2728	Mjkgjl32.exe
2960	Nbflno32.exe
284	Nmkplgnq.exe
2332	Nfdddm32.exe
1980	Ncnngfna.exe
1988	Ndqkleln.exe
2180	Odchbe32.exe
2232	Opihgfop.exe
3012	Olpilg32.exe
2152	Offmipej.exe
2972	Olebgfao.exe
2256	Oabkom32.exe
2352	Phnpagdp.exe
2468	Pojecajj.exe
652	Pplaki32.exe
1608	Ppnnai32.exe
2748	Qppkfhlc.exe
2740	Qndkpmkm.exe
2856	Apedah32.exe
2560	Aebmjo32.exe
2528	Aaimopli.exe
1676	Aomnhd32.exe
1868	Aakjdo32.exe
1912	Ahebaiac.exe
1896	Anbkipok.exe
3032	Abmgjo32.exe
2900	Ahgofi32.exe
1496	Andgop32.exe
1752	Aqbdkk32.exe
1512	Bhjlli32.exe
2432	Bjkhdacm.exe
1452	Bjmeiq32.exe
1712	Bfioia32.exe
1524	Ccmpce32.exe
864	Cbblda32.exe
2200	Cileqlmg.exe
1584	Cpfmmf32.exe
2340	Cebeem32.exe
2816	Ceebklai.exe
2172	Cjakccop.exe
2752	Cegoqlof.exe
1444	Djdgic32.exe
2572	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
1804	6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3N.exe
1804	6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3N.exe
2348	Kdnild32.exe
2348	Kdnild32.exe
2336	Kaajei32.exe
2336	Kaajei32.exe
2968	Kcecbq32.exe
2968	Kcecbq32.exe
2692	Kgclio32.exe
2692	Kgclio32.exe
2656	Lonpma32.exe
2656	Lonpma32.exe
2068	Lfkeokjp.exe
2068	Lfkeokjp.exe
2592	Lbafdlod.exe
2592	Lbafdlod.exe
2672	Lohccp32.exe
2672	Lohccp32.exe
1376	Lddlkg32.exe
1376	Lddlkg32.exe
1128	Mfjann32.exe
1128	Mfjann32.exe
1064	Mgjnhaco.exe
1064	Mgjnhaco.exe
2728	Mjkgjl32.exe
2728	Mjkgjl32.exe
2960	Nbflno32.exe
2960	Nbflno32.exe
284	Nmkplgnq.exe
284	Nmkplgnq.exe
2332	Nfdddm32.exe
2332	Nfdddm32.exe
1980	Ncnngfna.exe
1980	Ncnngfna.exe
1988	Ndqkleln.exe
1988	Ndqkleln.exe
2180	Odchbe32.exe
2180	Odchbe32.exe
2232	Opihgfop.exe
2232	Opihgfop.exe
3012	Olpilg32.exe
3012	Olpilg32.exe
2152	Offmipej.exe
2152	Offmipej.exe
2972	Olebgfao.exe
2972	Olebgfao.exe
1892	Pofkha32.exe
1892	Pofkha32.exe
2352	Phnpagdp.exe
2352	Phnpagdp.exe
2468	Pojecajj.exe
2468	Pojecajj.exe
652	Pplaki32.exe
652	Pplaki32.exe
1608	Ppnnai32.exe
1608	Ppnnai32.exe
2748	Qppkfhlc.exe
2748	Qppkfhlc.exe
2740	Qndkpmkm.exe
2740	Qndkpmkm.exe
2856	Apedah32.exe
2856	Apedah32.exe
2560	Aebmjo32.exe
2560	Aebmjo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndqkleln.exe	Ncnngfna.exe
File opened for modification	C:\Windows\SysWOW64\Aakjdo32.exe	Aomnhd32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Kaajei32.exe	Kdnild32.exe
File created	C:\Windows\SysWOW64\Fkdhkd32.dll	Pojecajj.exe
File opened for modification	C:\Windows\SysWOW64\Apedah32.exe	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Eoobfoke.dll	Abmgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Aqbdkk32.exe	Andgop32.exe
File created	C:\Windows\SysWOW64\Kmhnlgkg.dll	Andgop32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	Bjkhdacm.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Pplaki32.exe	Pojecajj.exe
File opened for modification	C:\Windows\SysWOW64\Lfkeokjp.exe	Lonpma32.exe
File opened for modification	C:\Windows\SysWOW64\Mfjann32.exe	Lddlkg32.exe
File created	C:\Windows\SysWOW64\Aomnhd32.exe	Aaimopli.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Kbdjfk32.dll	Ppnnai32.exe
File opened for modification	C:\Windows\SysWOW64\Aebmjo32.exe	Apedah32.exe
File created	C:\Windows\SysWOW64\Kmgbdm32.dll	Phnpagdp.exe
File created	C:\Windows\SysWOW64\Jendoajo.dll	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Andgop32.exe	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Hpqnnmcd.dll	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Kfcgie32.dll	Bhjlli32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Olpilg32.exe	Opihgfop.exe
File created	C:\Windows\SysWOW64\Iacpmi32.dll	Olebgfao.exe
File opened for modification	C:\Windows\SysWOW64\Aaimopli.exe	Aebmjo32.exe
File created	C:\Windows\SysWOW64\Pmmgmc32.dll	Aaimopli.exe
File opened for modification	C:\Windows\SysWOW64\Mgjnhaco.exe	Mfjann32.exe
File created	C:\Windows\SysWOW64\Aoapfe32.dll	Mjkgjl32.exe
File created	C:\Windows\SysWOW64\Ncnngfna.exe	Nfdddm32.exe
File opened for modification	C:\Windows\SysWOW64\Ahgofi32.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Gpihdl32.dll	Lfkeokjp.exe
File created	C:\Windows\SysWOW64\Lddlkg32.exe	Lohccp32.exe
File created	C:\Windows\SysWOW64\Hcelfiph.dll	Mfjann32.exe
File opened for modification	C:\Windows\SysWOW64\Qppkfhlc.exe	Ppnnai32.exe
File created	C:\Windows\SysWOW64\Bhjlli32.exe	Aqbdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Kdnild32.exe	6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3N.exe
File created	C:\Windows\SysWOW64\Ciffggmh.dll	Lddlkg32.exe
File opened for modification	C:\Windows\SysWOW64\Nmkplgnq.exe	Nbflno32.exe
File created	C:\Windows\SysWOW64\Edeomgho.dll	Nmkplgnq.exe
File opened for modification	C:\Windows\SysWOW64\Pplaki32.exe	Pojecajj.exe
File created	C:\Windows\SysWOW64\Qppkfhlc.exe	Ppnnai32.exe
File opened for modification	C:\Windows\SysWOW64\Qndkpmkm.exe	Qppkfhlc.exe
File created	C:\Windows\SysWOW64\Aebmjo32.exe	Apedah32.exe
File opened for modification	C:\Windows\SysWOW64\Anbkipok.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Cabalojc.dll	Kcecbq32.exe
File created	C:\Windows\SysWOW64\Lfkeokjp.exe	Lonpma32.exe
File opened for modification	C:\Windows\SysWOW64\Nbflno32.exe	Mjkgjl32.exe
File created	C:\Windows\SysWOW64\Ahebaiac.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Kdnild32.exe	6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3N.exe
File created	C:\Windows\SysWOW64\Fffjig32.dll	6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3N.exe
File created	C:\Windows\SysWOW64\Oqfqioai.dll	Kaajei32.exe
File created	C:\Windows\SysWOW64\Phnpagdp.exe	Pofkha32.exe
File created	C:\Windows\SysWOW64\Ppnnai32.exe	Pplaki32.exe
File created	C:\Windows\SysWOW64\Bodmepdn.dll	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Gigqol32.dll	Lonpma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2008	2572	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkeokjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofkha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lonpma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcecbq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjkgjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaajei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgclio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbafdlod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lohccp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddlkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnnai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnild32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfjann32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmkplgnq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplaki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkfhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbflno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phnpagdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndqkleln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgjnhaco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfdddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnngfna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odchbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oabkom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opihgfop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olpilg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Offmipej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olebgfao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebmjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdnild32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfdddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opihgfop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olpilg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll"	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddlkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndqkleln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Offmipej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddlkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfjann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghaaidm.dll"	Opihgfop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olebgfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgclio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lohccp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomgdcce.dll"	Ndqkleln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll"	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lonpma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbafdlod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoapfe32.dll"	Mjkgjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncnngfna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oabkom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gigqol32.dll"	Lonpma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciffggmh.dll"	Lddlkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndqkleln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opihgfop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andgop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfjann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edeomgho.dll"	Nmkplgnq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olpilg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjkgjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eamjfeja.dll"	Nfdddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncnngfna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll"	Phnpagdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabalojc.dll"	Kcecbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlecd32.dll"	Oabkom32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2348	1804	6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3N.exe	30
PID 1804 wrote to memory of 2348	1804	6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3N.exe	30
PID 1804 wrote to memory of 2348	1804	6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3N.exe	30
PID 1804 wrote to memory of 2348	1804	6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3N.exe	30
PID 2348 wrote to memory of 2336	2348	Kdnild32.exe	31
PID 2348 wrote to memory of 2336	2348	Kdnild32.exe	31
PID 2348 wrote to memory of 2336	2348	Kdnild32.exe	31
PID 2348 wrote to memory of 2336	2348	Kdnild32.exe	31
PID 2336 wrote to memory of 2968	2336	Kaajei32.exe	32
PID 2336 wrote to memory of 2968	2336	Kaajei32.exe	32
PID 2336 wrote to memory of 2968	2336	Kaajei32.exe	32
PID 2336 wrote to memory of 2968	2336	Kaajei32.exe	32
PID 2968 wrote to memory of 2692	2968	Kcecbq32.exe	33
PID 2968 wrote to memory of 2692	2968	Kcecbq32.exe	33
PID 2968 wrote to memory of 2692	2968	Kcecbq32.exe	33
PID 2968 wrote to memory of 2692	2968	Kcecbq32.exe	33
PID 2692 wrote to memory of 2656	2692	Kgclio32.exe	34
PID 2692 wrote to memory of 2656	2692	Kgclio32.exe	34
PID 2692 wrote to memory of 2656	2692	Kgclio32.exe	34
PID 2692 wrote to memory of 2656	2692	Kgclio32.exe	34
PID 2656 wrote to memory of 2068	2656	Lonpma32.exe	35
PID 2656 wrote to memory of 2068	2656	Lonpma32.exe	35
PID 2656 wrote to memory of 2068	2656	Lonpma32.exe	35
PID 2656 wrote to memory of 2068	2656	Lonpma32.exe	35
PID 2068 wrote to memory of 2592	2068	Lfkeokjp.exe	36
PID 2068 wrote to memory of 2592	2068	Lfkeokjp.exe	36
PID 2068 wrote to memory of 2592	2068	Lfkeokjp.exe	36
PID 2068 wrote to memory of 2592	2068	Lfkeokjp.exe	36
PID 2592 wrote to memory of 2672	2592	Lbafdlod.exe	37
PID 2592 wrote to memory of 2672	2592	Lbafdlod.exe	37
PID 2592 wrote to memory of 2672	2592	Lbafdlod.exe	37
PID 2592 wrote to memory of 2672	2592	Lbafdlod.exe	37
PID 2672 wrote to memory of 1376	2672	Lohccp32.exe	38
PID 2672 wrote to memory of 1376	2672	Lohccp32.exe	38
PID 2672 wrote to memory of 1376	2672	Lohccp32.exe	38
PID 2672 wrote to memory of 1376	2672	Lohccp32.exe	38
PID 1376 wrote to memory of 1128	1376	Lddlkg32.exe	39
PID 1376 wrote to memory of 1128	1376	Lddlkg32.exe	39
PID 1376 wrote to memory of 1128	1376	Lddlkg32.exe	39
PID 1376 wrote to memory of 1128	1376	Lddlkg32.exe	39
PID 1128 wrote to memory of 1064	1128	Mfjann32.exe	40
PID 1128 wrote to memory of 1064	1128	Mfjann32.exe	40
PID 1128 wrote to memory of 1064	1128	Mfjann32.exe	40
PID 1128 wrote to memory of 1064	1128	Mfjann32.exe	40
PID 1064 wrote to memory of 2728	1064	Mgjnhaco.exe	41
PID 1064 wrote to memory of 2728	1064	Mgjnhaco.exe	41
PID 1064 wrote to memory of 2728	1064	Mgjnhaco.exe	41
PID 1064 wrote to memory of 2728	1064	Mgjnhaco.exe	41
PID 2728 wrote to memory of 2960	2728	Mjkgjl32.exe	42
PID 2728 wrote to memory of 2960	2728	Mjkgjl32.exe	42
PID 2728 wrote to memory of 2960	2728	Mjkgjl32.exe	42
PID 2728 wrote to memory of 2960	2728	Mjkgjl32.exe	42
PID 2960 wrote to memory of 284	2960	Nbflno32.exe	43
PID 2960 wrote to memory of 284	2960	Nbflno32.exe	43
PID 2960 wrote to memory of 284	2960	Nbflno32.exe	43
PID 2960 wrote to memory of 284	2960	Nbflno32.exe	43
PID 284 wrote to memory of 2332	284	Nmkplgnq.exe	44
PID 284 wrote to memory of 2332	284	Nmkplgnq.exe	44
PID 284 wrote to memory of 2332	284	Nmkplgnq.exe	44
PID 284 wrote to memory of 2332	284	Nmkplgnq.exe	44
PID 2332 wrote to memory of 1980	2332	Nfdddm32.exe	45
PID 2332 wrote to memory of 1980	2332	Nfdddm32.exe	45
PID 2332 wrote to memory of 1980	2332	Nfdddm32.exe	45
PID 2332 wrote to memory of 1980	2332	Nfdddm32.exe	45

C:\Users\Admin\AppData\Local\Temp\6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3N.exe
"C:\Users\Admin\AppData\Local\Temp\6a565f35453f11b4aeafb3c05512af233eab2ebb94ba6cf9e28b1be3030a38f3N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\SysWOW64\Kdnild32.exe
  C:\Windows\system32\Kdnild32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\Kaajei32.exe
    C:\Windows\system32\Kaajei32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\SysWOW64\Kcecbq32.exe
      C:\Windows\system32\Kcecbq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\Kgclio32.exe
        
        C:\Windows\system32\Kgclio32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\SysWOW64\Lonpma32.exe
        
        C:\Windows\system32\Lonpma32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Lfkeokjp.exe
        
        C:\Windows\system32\Lfkeokjp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Lbafdlod.exe
        
        C:\Windows\system32\Lbafdlod.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Lohccp32.exe
        
        C:\Windows\system32\Lohccp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Lddlkg32.exe
        
        C:\Windows\system32\Lddlkg32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Mfjann32.exe
        
        C:\Windows\system32\Mfjann32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Mgjnhaco.exe
        
        C:\Windows\system32\Mgjnhaco.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Mjkgjl32.exe
        
        C:\Windows\system32\Mjkgjl32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Nbflno32.exe
        
        C:\Windows\system32\Nbflno32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Nmkplgnq.exe
        
        C:\Windows\system32\Nmkplgnq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Windows\SysWOW64\Nfdddm32.exe
        
        C:\Windows\system32\Nfdddm32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Ncnngfna.exe
        
        C:\Windows\system32\Ncnngfna.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Ndqkleln.exe
        
        C:\Windows\system32\Ndqkleln.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Odchbe32.exe
        
        C:\Windows\system32\Odchbe32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\Opihgfop.exe
        
        C:\Windows\system32\Opihgfop.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Olpilg32.exe
        
        C:\Windows\system32\Olpilg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Offmipej.exe
        
        C:\Windows\system32\Offmipej.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Olebgfao.exe
        
        C:\Windows\system32\Olebgfao.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Oabkom32.exe
        
        C:\Windows\system32\Oabkom32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Pofkha32.exe
        
        C:\Windows\system32\Pofkha32.exe
        25⤵
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Phnpagdp.exe
        
        C:\Windows\system32\Phnpagdp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Pojecajj.exe
        
        C:\Windows\system32\Pojecajj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Pplaki32.exe
        
        C:\Windows\system32\Pplaki32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Ppnnai32.exe
        
        C:\Windows\system32\Ppnnai32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Qppkfhlc.exe
        
        C:\Windows\system32\Qppkfhlc.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Bhjlli32.exe
        
        C:\Windows\system32\Bhjlli32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 144
        57⤵
        Program crash
        
        PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
56KB

MD5
1015f3669afec6e2a9109fffe0b22405

SHA1
fd04a9f2a5ab275a730e61b46d71d87d45ca8bf2

SHA256
45800d50842071cd6f0c11300c8c2999d64c78886aa1654511acce14bbebe0fb

SHA512
a81c2033c0994793902a2bf54c4a9d68595cb27299a736c828fb9f5e2c6511d6fe25dd0f3c8a8ec5185fe0589aecc2d89a1831c9f0cb6aedc3454040e8ae37bc

Download Submit
C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
56KB

MD5
96ac9a69618221c7ff8fe992f10b9189

SHA1
9f48d077ae9333517c0d8c257864410c91bb2cb7

SHA256
99d290f26afc94e21a5c967420384de923fb2436171eb17f61e5df905707ea13

SHA512
de0cb47bf3fa3e6f213ce05edaac5f54d26eeb1987414b2b6c1d1b028ed86cf2c81b0e5112e023e49094d9415c4a6237029d88742ce8fbefd4c5ca6c8d670686

Download Submit
C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
56KB

MD5
450e866bce04c10d88b1034a0f07aa79

SHA1
5839f86b30079ca59abedad68fc1e97dc809c3ce

SHA256
84de0d7f78e0d12f1bd73b86f7cd436e418b06ae5b8a917987a6d27faee9d482

SHA512
6833a5b7b8f56107165c88e80bd698f4c030c263c015cb931778117f510ef1af8bab27191ec912814ad382d698b799640157d40c64e171939d732b941423cb02

Download Submit
C:\Windows\SysWOW64\Aebmjo32.exe

Filesize
56KB

MD5
981affbd0bfdfb6d51052c3b0ea005da

SHA1
d1477dfd4fdf775d9d175a1575766d380a7e65e9

SHA256
e7a5735990ec86d75dd6392ac37fc97e8571090cf99137a726725c97e524d857

SHA512
9f2984c749ae2a1e8d595918fb6e93a51972fb37ffe2e040a5dc131bc7f7d493c1e110423c18eebf1c8e6ca11c6111329514666a3a4b9794fe3d2f0789e761ae

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
56KB

MD5
06281fa35dbd27623ef76da99149033b

SHA1
849ab6722cacd12b72cf5583d10e9e8cbcd133ee

SHA256
9a55f4507a05cbee252b0ce5bbe5f344a77d39509d79180774f0a127e1debba7

SHA512
f52e89bf9758f2344f62093c6d8053884aea8cee848cda19e7f069a91d8b252b879b3f7963d467f8691c046de23b14cb76ae629bcd986567d9cd57e7377f669a

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
56KB

MD5
751ced4dbb9f5e17fcd810c89484f509

SHA1
04bb97b66679423a31131ca8a7a9065bfae9f6a4

SHA256
c37c84fc8d25e6449e689553e335d3e52d4a9f3275db8731ff40a6580d1dd9f1

SHA512
243bc77a9e7df98dadb1d8cd762e37b47f033db5c4c3edd03c70f3066951ae61452c2e75b20262586933185b39bec019153fc9e97069dd25f0b4f65200fe0088

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
56KB

MD5
a68ba6526fa7fb4d7ab4e7b7c2f869d6

SHA1
3b6c7f3b854d00cf1c9c7ec2f37d91f145ceb940

SHA256
911d0b0625274d539eebf3846a7536829b91a22ef859bb5da8d03efb6acb0d1d

SHA512
1b99a15bd4216ba0bce73d60669a1ad671888660f90fa0bbac7870e4f2eee56da553313f3ec66649e50dfccd97d577fb0e8569212b72ddde3edff4836cb92358

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
56KB

MD5
dc62c202ea115675da5833136ac00619

SHA1
9a99ad2c282b8a86e5fda1b8f950442ad05d5fb3

SHA256
2ad118ced23080bec5d0c4137258ea346206dc178380e99436b0dbb7ae691697

SHA512
245308fe9815454b6648dee7ca1c1601e78d57110851382fdd337b0a62204b2bab6d03ec01e21a4a92ee5da0cfeec699128c73bb4c16fbdb3426a39a7d4d35d1

Download Submit
C:\Windows\SysWOW64\Aomnhd32.exe

Filesize
56KB

MD5
85f639bfe589dabfc49fd9ae370dd4b8

SHA1
58365617feee62c639dfe1c6da2ba752f0f08425

SHA256
1c191503d597937dd2530983d26e04330187404a02a21490ddd89a4ccafccca0

SHA512
b828eb9cf07e2db5f40fdd079df0117c36c3d0dbf190b4f65330d2dad8c1406d1bafffe7b53c5fdc741ff1152827d12c11baa0f5418935499cdd14add29b1360

Download Submit
C:\Windows\SysWOW64\Apedah32.exe

Filesize
56KB

MD5
2312750fe09c666550bfc09cf2304851

SHA1
6eae9faa9b945c5633fe668910839e1896a75af4

SHA256
13c0dcf2b5bda449eefb36dc16ba5b7bedca31bb999f44e91af1911cbca86fa6

SHA512
04292b8450c774bdd4d2b7dd247ff1fe581fe69bb4c9fd24f60b96d91628d398b098ea3740ff24f2bd253a6e9fec1724122ba76652af44debd98e8082e195c19

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
56KB

MD5
27f6cff0e0210574351998f00c322d84

SHA1
9e52077b195bf4b22af97a7e13e819de9b9a36e0

SHA256
57c26791cef9f1d06f095fcee6194d681166262eb7fc3e17789338c559b69dc7

SHA512
71269db3114fd26bc5879b2004dd4c402ab2066302dcb0981bc899cecd795755c0d05237b9c93d6ee40c699f2028dcaf145cfd6c2944ebfffbd14ddefc0996d1

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
56KB

MD5
00bbcf952818d2da37dfc747e2fdd982

SHA1
488ab40927aa2283f641270f44093a2c496fa681

SHA256
fc54961e5724189fe9f3ceb26608af4996b89a1a1bc36f6ad2d5af1f5e8a5679

SHA512
a421fe915535c82e00a35cd0747d75ff9ba9cffa3201c202df77839ff1ced1aa463d521c082db5c37a6e2b3b7e38daa04b04d59f975ffcc86ba78c7deb714e7d

Download Submit
C:\Windows\SysWOW64\Bhjlli32.exe

Filesize
56KB

MD5
8cc7a75eded400c2b76a8f122e0821bd

SHA1
2779778399fd22747b5647caf2f12e86690f4877

SHA256
a225446ee69382bd2ddf636239c9875c46544c4e7d48ddaf751f69cb3b791117

SHA512
fc4271404d8839c4a6fb6f6e9ef57846b47b6468970d14a5c252ba6155af87e1caaeecb83e4259f313fc2eae291baa59bf498124776fa0fe9a6d51ef21891bc8

Download Submit
C:\Windows\SysWOW64\Bjkhdacm.exe

Filesize
56KB

MD5
22f075fc2a7633500ce90e1e50602358

SHA1
8ce343930ce519bb729058ed678013b9c74d8fff

SHA256
5a1cfcdd9275caa666485675e204de97d459ee0bc49fe0df4f1d46cd9409c36e

SHA512
172312e6f35fecea1b2b7228ea28df02fa8488dc6b6fb5623a94929a5f06e670c6cea60f8dde273c69dec5de5a2d7738b3f5647464591b9d7ef7cf797c13f5d0

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
56KB

MD5
0a36f70139334f59a54418684c983a61

SHA1
7b74286c909adadc03ba1967fcd1bf1a8029ec6d

SHA256
c8818fc72e04ad3aeef07a691671db1a484048f155992dd129d973672f569cea

SHA512
92d4b1cbb380d2cb779426656cd8c60619f4ba73e8f6661d8b36948408bfcc6c1683ac877b3e016d2311382ef373b5cc710d5db484cfe9c3e936497dc2143202

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
56KB

MD5
31e998707dff5f8f28f3d869fcb7285c

SHA1
25525883bac16e3b792d3dbde6d88031fd93c47e

SHA256
a79784c517a2b9cb58e50ad054cbad2c4595281d44c5168d5f5f95006deeef34

SHA512
18b8946a012abba680be940148198e00dd6432f39702fe124943a569e6df73ad46cc1338810deceb7ee1da0c47f69eaf34067bd591d71dc69c644bb99984f031

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
56KB

MD5
2b8c700e1beb19f657a34380587f00e8

SHA1
6d8a3530bea89331e06fe6bb8cf48be32d1577c5

SHA256
2b22968e95f7c3040ffb06df77aeecdd1b5cb01191b2bca12dada6d863432d0e

SHA512
bba27811a1dae7a3fd1ba56485af5ba1467eb77d630294eea87a6370246eec5288cfec528eeccaea338d78a06d3ba68ff375ffd56024fbe67ad20c97602c2edf

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
56KB

MD5
a6fa3ceca81242fdc7c458c56795f232

SHA1
c63fea841a5376471ef5015e410e38c6bf5a8718

SHA256
61ad695edf7f777022177ae2772ef640a059161040a012c9320439ea65a46b47

SHA512
b2d5f99d8d79cd17fd9fbb6b7b28c56abb5f82202eb5734c002de8d84344b58be21055d3fefc5f2e911c49b4778c28099b54262b67170d2e0af31e969a0eea3b

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
56KB

MD5
6f072624f6db2a6e8948a0c23f66ea08

SHA1
7efbbed9f16f359a8f1f329c549649b8e641e248

SHA256
3e0f4b74264293c6583f0f5a1505abbfc776f30b6d6506e050c836cd02ff9f80

SHA512
74608e60ed02f776e4829e590ef8785fb49c5fb5d14548a4b9a5268bcba6e8f0d6e1e5acfbad6c718858af411404295aedef6df6d7fd563d735cc49ea5c3d7ff

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
56KB

MD5
70ee9b16735f1f51c6bea3fcf0c9daa4

SHA1
9f959eef9fa56783a002943c8ebd744b2401db68

SHA256
8e7a279aef05bd5d9f870023160539d2ee595789166e24ed1a477dbec1e36364

SHA512
2a5cb1b5f3445582b5937a5ee84904edbc1e270f99ea47f99f16903a1790ddfafe9e51c3b5463f162b81eaedfb9777fd5d8bc022ebba1664b34ca8b9302084c7

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
56KB

MD5
3967ef01c5699a6f6b385df21c72f4c3

SHA1
2ad0dc8080142f526110099c02aa3182450b1f9a

SHA256
bb1a7f05f884013264febe423e90d6952ceb5d2603cc87dccc9c913c85c707fd

SHA512
4b7d372c6786528b922387122e787b4522b3ecb5ca1948dbca5232ff1f5b6acc0341d918ed384e387ecbc2d756beb3fc99ddfa4eed5237a60918a028c1388ab4

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
56KB

MD5
158de174a2fe342a3045369699b57cdb

SHA1
4c5edc786ace53a41e7c668c86dfa25a9b6e9ad8

SHA256
1900cbb2278bf4defd423a20677c9fc05969bd18347aa1346681ce4775e4f9ad

SHA512
96a83a7d2063b00ad68e6f056ac7c5d44d4e03413ba615391ee04f2d0156b42f2268079cbca2e125b1715d0367f301987de937f909ed31646fa1560ee44436db

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
56KB

MD5
0cea04094db64187d25cdc1d153f1e5d

SHA1
5bb490b86259f9e98ff2e96bafec87713ed960fe

SHA256
294cdf588dbe3c9027fe0fa38f20146b64ae04ebdbbe5f1ad03f5bacc827ba8f

SHA512
07a637daf2392da12575877ba0c19c2ac9311c9bef5b553e2510d82fe1f374f82a5a794e9e9a3810caeae06d549d31820f2c4e4e02fa6416808e478bea127180

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
56KB

MD5
bb0b5ffbb9ab61c6dce3776ec1fd46c1

SHA1
0d6ad869f5ce477ca6377d201539064099eb90cf

SHA256
e7dcd44a173ab2e0529eb2475c3868761c78f3083570306288511d468c781606

SHA512
c058b3ddd3a30f59700ad353a7df33c638cf0bafc1e20e47502d46c65d94c618bffeef20a21c3b721e287c958816476fc167e94194ff1666858df88113c1b898

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
56KB

MD5
f68d3422a05a538b36ee96c224b6ab3b

SHA1
2f6716e7e091b7326114dae7841913349c25687b

SHA256
108e5d15068d4408e77eabca9caebc0c23d304a535f9a036f6def45aaaa8cdad

SHA512
dbac21ac25daf972b5160277e36767a3c44fecd940e2c181819417d5d278f78b676bbbab940c01d0321a08d9c6d52e8acab77f13ffd3df1b8741b146912b4e7f

Download Submit
C:\Windows\SysWOW64\Kaajei32.exe

Filesize
56KB

MD5
c539bf6e35eac288d6178bcdf47042d3

SHA1
6fac5fd9cd42174dbca055e052fbe5ecbf79c6f5

SHA256
9fbe176541b96620486638d8c0542766a555b9b5b25984d4d74e64f8c446be06

SHA512
a0a4a73b198fd26d9c18217f5ea1062a7720b9af15140436ecbae493653d1183ebdaaecc726daca7af585b44b1976e89d976d29ce11ebaaf41a241a6ba10e9e3

Download Submit
C:\Windows\SysWOW64\Kdnild32.exe

Filesize
56KB

MD5
2c29b239f12e158b151059966f0d1dd1

SHA1
25e6aa105330d93cd688bd53c14ed4de2deafdea

SHA256
3e413117cbc7042025313adedb582eb5b301bba6728425138715c02886ba3d74

SHA512
5e4f4563a12e7b00b90e9e3133c2a2df8dba14d9b656aab0a84af21c63f07699c2cbef7a7eedfb0a270f487392935f0cfbc28bb0af4be567ca0f5a97e2f919a4

Download Submit
C:\Windows\SysWOW64\Mgjnhaco.exe

Filesize
56KB

MD5
0a19630cd1ab048f0c9978fe6a8a8ee6

SHA1
22d363757689582f9a1d50b0d8b79dbbefe40e2d

SHA256
3fd7dadddf40d929022914928b431cf87df19c5ec4a392c4b4746cad80779997

SHA512
2af83fda4f6650550d1d57d23f8bc903e1ab9d6d793c7a31fa138f087c30e36a9d59743b69991b4cefe9fc7b9224c13693203b4e24fd3ba0f02888eb3c4e1bb2

Download Submit
C:\Windows\SysWOW64\Ndqkleln.exe

Filesize
56KB

MD5
4fdd77534e0e7d73c08ff297306bedfa

SHA1
450e35bbd382e087b2a27aa72cd7f352f722d3c7

SHA256
54520825e456787e0a55e25e356c04c80a59447b13e0d71e1abd47d90415eff9

SHA512
cc41a587726c0a17c076cf6535d9477b35446648da96f241975f05e5be8cafcf0a44556d7f5c066a6f57a17713d99cb89b4490eb551153894041f35e28f3fcbb

Download Submit
C:\Windows\SysWOW64\Nmkplgnq.exe

Filesize
56KB

MD5
4ee52492aa6802c699659a4afcb4c37e

SHA1
5c9b6be83bfdcdc58a3c7cb4c579b5d973773edb

SHA256
959d58f78a26f27818fab1eb15669e759ad47b859c9e341ad0941f8892fe6022

SHA512
236757616dbea594b72939597ea529cab6b71fb348f8071a8d7e846bd7362899d38f63a15060f7e017e8afffc70f950b6f8d9891c42d3c2ce710df442ad3bf2a

Download Submit
C:\Windows\SysWOW64\Oabkom32.exe

Filesize
56KB

MD5
c461752496764f52712bea947b757a5b

SHA1
7d430e2a885aad9274636bef42322c7f104c26e3

SHA256
d2058e411f1b76fcba643f9ad5114c0aca0aaa9837452b32622e64ab47bf60c6

SHA512
ef3c5ef9ef3a6793dec6f604c322c8af40478b1872f41734102cdf77febe1e84c8af9a7d8b36f7c047cbdb53676e564d25aceae4acd295671a32a5a17564e4ca

Download Submit
C:\Windows\SysWOW64\Odchbe32.exe

Filesize
56KB

MD5
06bfd0d2f8535fe3cd6e5b2dd6e6a518

SHA1
fdf6f39add8841fc7021bec702af4814bb0572e3

SHA256
5a9147d3a69aa6dc0f3027a5cea714027dd5c3f2fd1801f51317bdc912377e73

SHA512
eee45307119f84574544071c7e5ad54c3a539c629ae96ff09c08fd4c1932794d158283864a6c167e587e8d8d1008d1f2c36f13912fc6098b554197a77df2490c

Download Submit
C:\Windows\SysWOW64\Offmipej.exe

Filesize
56KB

MD5
6538dc7f7a2272155e54005c74891a2c

SHA1
f55813904f9b5fc1f9d1e0a0232656a47b765f62

SHA256
6b92644bf5d6c33652c1b5895ddf9ec72ca4bc9fc9a281b2211458bfde4112aa

SHA512
cee391181dad4dbacb8fd3779b4d91f6948932b207d04d3eb51aac16a4c2b00445f4f5c474c0381f1a0c7ad312520ccfd91a9c68243c0926a97c8373aac28296

Download Submit
C:\Windows\SysWOW64\Olebgfao.exe

Filesize
56KB

MD5
47c778ecb3e68e1d5beacaa5bdf5df87

SHA1
0785e12ccc883109068167aef39fc93ca0fb31dc

SHA256
8886105e3a55cbb4f9f49464c263c5ae64947b66e6d9ddab9118562b961ce906

SHA512
977154bf6fe47d304ee7c81ddc3d52f168b1c9e3b9e5e0d889ca30d3044413ebe4372a3adc0b5215b19a1d45189809ab0b125a343826562ab60260c51b51e2c0

Download Submit
C:\Windows\SysWOW64\Olpilg32.exe

Filesize
56KB

MD5
185c74f5cefec41017bda3e5312607d3

SHA1
c35c198d2151fcbf545d71ee8edd66c3fd807a8a

SHA256
060630770c76c4dad6da45cf530bcfdf365dc8e565ab9389daea2f9e7c6069bc

SHA512
63ef974be0968646309eca643607c715480840ac1433b9fdd089c4ad624f198ba0c33dd0f59f675da21267176d7c61104a1b5e4dd4133316322ce67b7fa6dca4

Download Submit
C:\Windows\SysWOW64\Opihgfop.exe

Filesize
56KB

MD5
6215f84c494ccde6cb51d75c9ad46db6

SHA1
d666e9dbf7ce27ca408d1431cf3743686a0f2ee8

SHA256
09f306ffc5dab26259899f916ac534cbb069a1e69462bb9a957c31ec775392b1

SHA512
a34aa204993a3d35706d4eb03d39e2aabab0cab22446c6861b1a1320f275cdf1cc246e0b21af9ce3bcf459143add7f46a8a8c4989c412460aa3426f89f55d2da

Download Submit
C:\Windows\SysWOW64\Phnpagdp.exe

Filesize
56KB

MD5
3486e8ee7ffc88b52cedcf69716e6a01

SHA1
90e185d61e20abe041d3959c629f0baa132bdd73

SHA256
81b31ccdfdf0fec51f86819145a098f51903f257e8e185ed2b2b59dd97249040

SHA512
54aad46f98566091b8acd5b598eec1e42ac81453cead98836407f5b1f624800dd8b1043e852b67c3253c3cd9a3fec29872ee1be4c8c031d1e0dd12a041489af6

Download Submit
C:\Windows\SysWOW64\Pojecajj.exe

Filesize
56KB

MD5
3ef76f4eab7d7dbf8d58ff70a9607980

SHA1
9d12b95563088a07cfc776c689d558589eed0048

SHA256
20a477576f24c72cbf984c644667e2a8bb8e5e44c4e440c9df5b8b144c1dfdd9

SHA512
b6cc861d637c21344055ea3a0f2bd21822c862d80f4519f978c03656bd4947f830bcaef2260676e409db7f61df85b9c512c5c722871de00403013c61d866cb69

Download Submit
C:\Windows\SysWOW64\Pplaki32.exe

Filesize
56KB

MD5
0d403e6326c6950b6ec2f07d29464825

SHA1
20d451884154bd6e4d9d0e774bfe637552f221bb

SHA256
2a3d65c24dbccb74514346b5611364c706a2568b157b02c312f40e894ea42c4f

SHA512
619ab2897ef1b0c32688d5a7163e55f05050805f98ac31bc6b7f145e5f84c148aa25bb8fac32ecc6fdb3254358989057b364b8ce737bbe3398111fd27d633a85

Download Submit
C:\Windows\SysWOW64\Ppnnai32.exe

Filesize
56KB

MD5
4d8605dadc4e90850f7d63d4829588de

SHA1
8a826b1d1b9c971e024ca3e96d1161ca64727502

SHA256
9ad91988431eb5ef9a01e730c58fab6147cf256a3530746d9a7490696b39aa48

SHA512
101c5a08e80cce0536e86c730535a9b118a085c2cbcbece578ce4b3c94ab3635d10757679732b017bdeedef2dfbe99cb4eb40f30d217bb2347ab1d69ac7d033c

Download Submit
C:\Windows\SysWOW64\Qndkpmkm.exe

Filesize
56KB

MD5
484afca8f7961952d2262fe0881320f3

SHA1
9826f4313683d10afd313e098c08c2631d27bda8

SHA256
7e74d26f61656800a41b9b264f52b351929d1bb5184e2c60a0c468817f1a76ab

SHA512
85a5b7f5cf673f8cecb130ff25ec6ab423a1a32d63f9e2e4ba056fca71c27d4deaa4b4335282febf5d1db3a2eeab2e4327b65b8c7b07c73893d84086ddffd1b8

Download Submit
C:\Windows\SysWOW64\Qppkfhlc.exe

Filesize
56KB

MD5
035afe82f73588deadefdf502b065a1e

SHA1
78cc389147e35940c944a646f5a8b56a3fff692a

SHA256
80b3b1cdd91c1e88700f815972895507fb5c9353ce8a967b0fa8a0b7ac7738a2

SHA512
881e98e96ea04254101bb5474dddb68a777ae10b2682f28de76a9dd9d48f4ac96cf5d8d664366afbfbfe8bc49230ab6b3645e42a0c1fd273ff3c4040aad42d81

Download Submit
\Windows\SysWOW64\Kcecbq32.exe

Filesize
56KB

MD5
909329b2f47c79e995e9f1fbc90c6947

SHA1
bcce9ec965cadeaab0ed410a6b681ac3c11ac01f

SHA256
39271218c3386f88b7a5aed69b331c9ca2fa06d7d92a91f24ccc91ce98e37708

SHA512
639066baccb74abe561da3f62618e6543e89a256286124ba7ead6093b09566b0807e6a1c1aa8a24a84b0561fe027afe6702a6aedcf82fdb83d75ae368ef3057c

Download Submit
\Windows\SysWOW64\Kgclio32.exe

Filesize
56KB

MD5
0cd3db0cbb61edf1442b027bfddb3b19

SHA1
71e99b027f28356cbb806d508b629461baa465e0

SHA256
909433a88ee6a68d5d6d60c4f4208fc853754f6fcb1ff838ce2604466049a531

SHA512
009fc528c498d90b4a5d56c2a4ecc3e61e0b0f434a424e767b3c2be8d786308ea971d792b21c7931c547d17d59529e9f8f4b012e5e8ffb7c011a9e2cf18fa99d

Download Submit
\Windows\SysWOW64\Lbafdlod.exe

Filesize
56KB

MD5
c2ef6f3fde14a65b80379cc47e344d71

SHA1
a7986b2bc90abcac486f65478cce50977b4e6606

SHA256
9dc4845d187bfd474811f635f60c00fe439e20b7c2513920f5f67e5b5daa7a4b

SHA512
7cd52c5fc32bc785eabb738e1ea575da8796919efedaea24cbc8eb9a5dd58b9d20740b5121af13e921dfd002dcf214b499d0835a17d3cd7022481b567cd84f99

Download Submit
\Windows\SysWOW64\Lddlkg32.exe

Filesize
56KB

MD5
3151dae4bf022d067de9f840c87c7b3d

SHA1
2d4aeb4a32b50f24430db69b8a8ed2f7676b5071

SHA256
84ed6d55dd0620f868b32a8da74f1ca73abf83ac38988614ccc72b4f09001019

SHA512
8285b53d6133d2a3ecdab3d925ce5ec6d443151c892094ffa9f60a17de026d52d2ca6e6055350999f0a25f8be0ad4427e1cef8e7841e75ecd0c97cc09f464852

Download Submit
\Windows\SysWOW64\Lfkeokjp.exe

Filesize
56KB

MD5
41b4e927f566c3e7fd9feb2ddf2026e0

SHA1
03e30cbfd3dcfb2194ec149e31a203b6f702cc44

SHA256
c883ee8598563d00e6d87e0a3843a7f549c4c472b60f2d7ed7fca000c1492906

SHA512
81a5349575e462c9a831da3c031bc88e19cd286d1ea9bfbc8c84858d7b23be74ae26b32ce604e25a988e1ffebbdbc7af6a038fe74ad8645ca158f16ce7c20be1

Download Submit
\Windows\SysWOW64\Lohccp32.exe

Filesize
56KB

MD5
527748b4fdf6694e68cf677cde557c8c

SHA1
9bc4004ae6cfaeffb88cc83ab370cee1627eb37a

SHA256
eb93fdf39717478fb2cd10d74826e2edde062edb29a25cca02e976d36af85909

SHA512
6a696fbf308e85c074b258dbfcc53269298f63d082a1a51a158464d38ccd510ede9b8412e5088c242b0c6d01ad9505137dbbeb558a362dfe14a8cca7415ce032

Download Submit
\Windows\SysWOW64\Lonpma32.exe

Filesize
56KB

MD5
022f854592509176b628f0d045fc5a8b

SHA1
ef0fd44e55b4cff89f4df6c59367f5036d292ef2

SHA256
a1120ff819db35fd94b6bed38c7a7fa53f692ed40a91c639949ccf261b8ac85e

SHA512
0cbc14bb9381c4efb6d767f0209a30b2f3373dbe05ace1175b119427dbaa4c6d32e8f567a79a3575536f9e792bb4ec804151ec47b1e4fd541b28b2f694003098

Download Submit
\Windows\SysWOW64\Mfjann32.exe

Filesize
56KB

MD5
300952bd72a21693e3954e9c7ac5e84f

SHA1
9128945e1a1dce101ab01da23cb27d8144a416b7

SHA256
0a107df50bc1be60920ceecd02475d3437615bd20cbd272c7a134b7c5877b171

SHA512
82069f6bc60edb9a0b19a2e6d3e32a502b06cdb8fea77b14c613652b15f59dd825afc2f3afadd9d4f9c054f66ec98bed3c982be9eaa883a3e5dc304e7b6e394f

Download Submit
\Windows\SysWOW64\Mjkgjl32.exe

Filesize
56KB

MD5
ffdeed800930142c6ae6891ac599828e

SHA1
f3267310203ba9b463c0e38b348abb8d91618cec

SHA256
ca42352d2595d351e5b13d8fe0ed910563aff2445e9cdca7060078408346506a

SHA512
7e4ef052c79e23250307961593ae7183395b4de7648989451f87ab20750837eeb1d06bb0b3b9b5c54843be734cfa6951955a3ac963b7383d71269c6012eb5dc6

Download Submit
\Windows\SysWOW64\Nbflno32.exe

Filesize
56KB

MD5
31c1297fbe8fb249bbbe22c874d3c74e

SHA1
f3dc58e86803ac7212b15647ddc3fcc414ad6e92

SHA256
4fd6670349603653ef4d5b953de93b35017a38b94145471a44d7c4e637798cb3

SHA512
a1b47b6b4cbe9b0dc2d7770565d4d8abaad79718fd0ab58d4cfc4527e3742671d5b7f4186275b1614c90577ddb80203feb90b9e7635956deff9c942cc486750c

Download Submit
\Windows\SysWOW64\Ncnngfna.exe

Filesize
56KB

MD5
3ce3938e75089ab89d011b570225f831

SHA1
21df509eea6b7c32c8bec11aa913f4a632d8f193

SHA256
44cff714c723496d299f77727adee15d2fff02f6b6831d374ed95db5d4a2faee

SHA512
b41729c56c8d18148329bbdf34ec9da982ce6bab56a0bd8ebf6766cfe48186958e09e3080a9c932134fd1be7ce4e6887a35ad9bebd214b524eed9dbd536e0b56

Download Submit
\Windows\SysWOW64\Nfdddm32.exe

Filesize
56KB

MD5
54ba93c402478a9f2a8624c0785baca4

SHA1
838013b76cea3a136f9f7c03ef9b9be1d8da4c7e

SHA256
9c0c936df8253e1e63e6137018c21048a0462d83727b3ece2d46217866204e62

SHA512
c4c9d035b50ee6770d08582eb226438689b404643bc6cf08b6b6b72a6c6c04539d760ccb2e2a723b6bd925f74f6852f8e23ad3f457965a7a5da820a12e618a0a

Download Submit
memory/284-224-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/284-269-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/284-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/652-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/652-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/652-359-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/1064-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-175-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1064-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-166-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1128-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1376-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1376-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1376-143-0x0000000001B60000-0x0000000001B94000-memory.dmp

Filesize
208KB

Download
memory/1444-648-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-368-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/1608-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-55-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/1804-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-12-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/1804-11-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/1892-331-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1892-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-326-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1980-289-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1980-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-290-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1988-260-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1988-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-153-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2068-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-100-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2068-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-158-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2152-302-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2152-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-271-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2180-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-319-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2256-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-234-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/2332-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-39-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2336-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-86-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2348-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-378-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2352-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-384-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2468-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-385-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2592-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-116-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2592-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-115-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2656-132-0x0000000001BA0000-0x0000000001BD4000-memory.dmp

Filesize
208KB

Download
memory/2656-80-0x0000000001BA0000-0x0000000001BD4000-memory.dmp

Filesize
208KB

Download
memory/2656-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-133-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2672-127-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2672-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-205-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2672-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-65-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2728-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-198-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2728-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-395-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2740-396-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2748-382-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2856-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-406-0x00000000003B0000-0x00000000003E4000-memory.dmp

Filesize
208KB

Download
memory/2960-204-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2960-252-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2960-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-49-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2968-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-341-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2972-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-292-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads