2bca2d0ac6260ae5e90da53f363fbd740f957cce408f2e2534615128eccd4105

Analysis

max time kernel
105s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcda222dd6dbb923b6e249dd1d56bc00N.exe
Size

159KB
MD5

bcda222dd6dbb923b6e249dd1d56bc00
SHA1

821fedf0cd5b4f77901e17daaf6500f196b68df4
SHA256

2bca2d0ac6260ae5e90da53f363fbd740f957cce408f2e2534615128eccd4105
SHA512

18b9ca7abf1cc4370c767e928846702944f391eec7f45b088b5a4b5b1db347d712df28b700e6d6b9ba7d03c62449924740772041fdf5b86de5c608410ddb1c6b
SSDEEP

3072:MIagR8NC0WxR+oebwf1nFzwSAJB8FgBY5nd/M9dA:4M0Weo71n6xJmPM9dA

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	bcda222dd6dbb923b6e249dd1d56bc00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe

Executes dropped EXE 64 IoCs

pid	Process
2660	Nilcjp32.exe
4856	Ncdgcf32.exe
3512	Nebdoa32.exe
2356	Ndcdmikd.exe
3284	Njqmepik.exe
3800	Nloiakho.exe
3252	Ndfqbhia.exe
632	Nnneknob.exe
724	Ndhmhh32.exe
4240	Njefqo32.exe
4736	Nnqbanmo.exe
3632	Ocnjidkf.exe
888	Ojgbfocc.exe
1124	Ocpgod32.exe
4140	Oneklm32.exe
2276	Ocbddc32.exe
4844	Olkhmi32.exe
1552	Ocdqjceo.exe
2448	Ofcmfodb.exe
3460	Oqhacgdh.exe
972	Ojaelm32.exe
4816	Pqknig32.exe
2724	Pgefeajb.exe
3064	Pjcbbmif.exe
1156	Pmannhhj.exe
684	Pdifoehl.exe
1960	Pggbkagp.exe
4460	Pnakhkol.exe
3564	Pqpgdfnp.exe
2976	Pjhlml32.exe
208	Pmfhig32.exe
4628	Pdmpje32.exe
3588	Pfolbmje.exe
4388	Pnfdcjkg.exe
4412	Pgnilpah.exe
2636	Qnhahj32.exe
4028	Qqfmde32.exe
1940	Qgqeappe.exe
3608	Qjoankoi.exe
4544	Qmmnjfnl.exe
4040	Qcgffqei.exe
1128	Qffbbldm.exe
1944	Ampkof32.exe
2876	Adgbpc32.exe
2716	Afhohlbj.exe
3972	Anogiicl.exe
4440	Aeiofcji.exe
2376	Aclpap32.exe
4372	Amddjegd.exe
324	Agjhgngj.exe
3732	Andqdh32.exe
628	Aabmqd32.exe
1764	Acqimo32.exe
4160	Ajkaii32.exe
900	Aadifclh.exe
4852	Aepefb32.exe
4728	Bfabnjjp.exe
4444	Bnhjohkb.exe
932	Bagflcje.exe
5084	Bcebhoii.exe
3788	Bfdodjhm.exe
768	Bnkgeg32.exe
2180	Beeoaapl.exe
4884	Bgcknmop.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	bcda222dd6dbb923b6e249dd1d56bc00N.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	Nilcjp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Ndfqbhia.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5280	6120	WerFault.exe	191

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcda222dd6dbb923b6e249dd1d56bc00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	bcda222dd6dbb923b6e249dd1d56bc00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bcda222dd6dbb923b6e249dd1d56bc00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	bcda222dd6dbb923b6e249dd1d56bc00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	bcda222dd6dbb923b6e249dd1d56bc00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 2660	3116	bcda222dd6dbb923b6e249dd1d56bc00N.exe	84
PID 3116 wrote to memory of 2660	3116	bcda222dd6dbb923b6e249dd1d56bc00N.exe	84
PID 3116 wrote to memory of 2660	3116	bcda222dd6dbb923b6e249dd1d56bc00N.exe	84
PID 2660 wrote to memory of 4856	2660	Nilcjp32.exe	85
PID 2660 wrote to memory of 4856	2660	Nilcjp32.exe	85
PID 2660 wrote to memory of 4856	2660	Nilcjp32.exe	85
PID 4856 wrote to memory of 3512	4856	Ncdgcf32.exe	86
PID 4856 wrote to memory of 3512	4856	Ncdgcf32.exe	86
PID 4856 wrote to memory of 3512	4856	Ncdgcf32.exe	86
PID 3512 wrote to memory of 2356	3512	Nebdoa32.exe	87
PID 3512 wrote to memory of 2356	3512	Nebdoa32.exe	87
PID 3512 wrote to memory of 2356	3512	Nebdoa32.exe	87
PID 2356 wrote to memory of 3284	2356	Ndcdmikd.exe	88
PID 2356 wrote to memory of 3284	2356	Ndcdmikd.exe	88
PID 2356 wrote to memory of 3284	2356	Ndcdmikd.exe	88
PID 3284 wrote to memory of 3800	3284	Njqmepik.exe	89
PID 3284 wrote to memory of 3800	3284	Njqmepik.exe	89
PID 3284 wrote to memory of 3800	3284	Njqmepik.exe	89
PID 3800 wrote to memory of 3252	3800	Nloiakho.exe	90
PID 3800 wrote to memory of 3252	3800	Nloiakho.exe	90
PID 3800 wrote to memory of 3252	3800	Nloiakho.exe	90
PID 3252 wrote to memory of 632	3252	Ndfqbhia.exe	91
PID 3252 wrote to memory of 632	3252	Ndfqbhia.exe	91
PID 3252 wrote to memory of 632	3252	Ndfqbhia.exe	91
PID 632 wrote to memory of 724	632	Nnneknob.exe	93
PID 632 wrote to memory of 724	632	Nnneknob.exe	93
PID 632 wrote to memory of 724	632	Nnneknob.exe	93
PID 724 wrote to memory of 4240	724	Ndhmhh32.exe	94
PID 724 wrote to memory of 4240	724	Ndhmhh32.exe	94
PID 724 wrote to memory of 4240	724	Ndhmhh32.exe	94
PID 4240 wrote to memory of 4736	4240	Njefqo32.exe	95
PID 4240 wrote to memory of 4736	4240	Njefqo32.exe	95
PID 4240 wrote to memory of 4736	4240	Njefqo32.exe	95
PID 4736 wrote to memory of 3632	4736	Nnqbanmo.exe	96
PID 4736 wrote to memory of 3632	4736	Nnqbanmo.exe	96
PID 4736 wrote to memory of 3632	4736	Nnqbanmo.exe	96
PID 3632 wrote to memory of 888	3632	Ocnjidkf.exe	97
PID 3632 wrote to memory of 888	3632	Ocnjidkf.exe	97
PID 3632 wrote to memory of 888	3632	Ocnjidkf.exe	97
PID 888 wrote to memory of 1124	888	Ojgbfocc.exe	99
PID 888 wrote to memory of 1124	888	Ojgbfocc.exe	99
PID 888 wrote to memory of 1124	888	Ojgbfocc.exe	99
PID 1124 wrote to memory of 4140	1124	Ocpgod32.exe	100
PID 1124 wrote to memory of 4140	1124	Ocpgod32.exe	100
PID 1124 wrote to memory of 4140	1124	Ocpgod32.exe	100
PID 4140 wrote to memory of 2276	4140	Oneklm32.exe	101
PID 4140 wrote to memory of 2276	4140	Oneklm32.exe	101
PID 4140 wrote to memory of 2276	4140	Oneklm32.exe	101
PID 2276 wrote to memory of 4844	2276	Ocbddc32.exe	102
PID 2276 wrote to memory of 4844	2276	Ocbddc32.exe	102
PID 2276 wrote to memory of 4844	2276	Ocbddc32.exe	102
PID 4844 wrote to memory of 1552	4844	Olkhmi32.exe	103
PID 4844 wrote to memory of 1552	4844	Olkhmi32.exe	103
PID 4844 wrote to memory of 1552	4844	Olkhmi32.exe	103
PID 1552 wrote to memory of 2448	1552	Ocdqjceo.exe	105
PID 1552 wrote to memory of 2448	1552	Ocdqjceo.exe	105
PID 1552 wrote to memory of 2448	1552	Ocdqjceo.exe	105
PID 2448 wrote to memory of 3460	2448	Ofcmfodb.exe	106
PID 2448 wrote to memory of 3460	2448	Ofcmfodb.exe	106
PID 2448 wrote to memory of 3460	2448	Ofcmfodb.exe	106
PID 3460 wrote to memory of 972	3460	Oqhacgdh.exe	107
PID 3460 wrote to memory of 972	3460	Oqhacgdh.exe	107
PID 3460 wrote to memory of 972	3460	Oqhacgdh.exe	107
PID 972 wrote to memory of 4816	972	Ojaelm32.exe	108

C:\Users\Admin\AppData\Local\Temp\bcda222dd6dbb923b6e249dd1d56bc00N.exe
"C:\Users\Admin\AppData\Local\Temp\bcda222dd6dbb923b6e249dd1d56bc00N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\SysWOW64\Nilcjp32.exe
  C:\Windows\system32\Nilcjp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\Ncdgcf32.exe
    C:\Windows\system32\Ncdgcf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\SysWOW64\Nebdoa32.exe
      C:\Windows\system32\Nebdoa32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        24⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        27⤵
        Executes dropped EXE
        
        PID:684
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        47⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        53⤵
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:900
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        59⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        68⤵
        
        PID:404
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3148
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        82⤵
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        100⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 412
        105⤵
        Program crash
        
        PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6120 -ip 6120
1⤵
PID:5208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amddjegd.exe

Filesize
159KB

MD5
429385c997e984c22ee9682db02f1218

SHA1
417b46c3f7ce833f5b2fdaee333c1b8df63f9cfe

SHA256
e1389493a393dfcbe2874e0c475195736664ccdd301125f5b2e668fff2b8a8c8

SHA512
d8154460e4681a939443346f330b3f4df9013f0ff1eff8a2557494185333e81f6919d31b196880d62f0446e109901c8ca7631f7c0d6f08b3c143f184a8dffd8a

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
159KB

MD5
e92f4b1953d0c9fcb94290918a016973

SHA1
4ccd005403657f8d3589c11dd67f4d98e6ebc06f

SHA256
4e0d41f62b9b75471af64c99bcb2a61c95cbff7c4cfa78daeaadb30d2d12d81e

SHA512
320b6e6af3145d4ca50560ce207bc7c72d97b209928a46eb842386c4f460646346d49211309f8dd03f0cd0d9cd500d0889d0b40dd9e43ab143df2bb7136a7319

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
159KB

MD5
063f895c5acd48b968f796930102200e

SHA1
e382934b5187f02c38e54b708299392c9406664a

SHA256
9d117a77adeff21ae548a252a51d270df2adb2a0e6fe93a703f1d0926d988a07

SHA512
4d5d2c8dd1c54b0043fe3ca8df61189bc6120cb532688dcb31e865df7b80c0dad5c7abce8674deaf8d92ab546f9b7637b4cba906e78b563644e54954c2936580

Download Submit
C:\Windows\SysWOW64\Gbdhjm32.dll

Filesize
7KB

MD5
78ed8112ad0b14b54d958348b6d862bf

SHA1
3dfb62633055a41dfb142cf493be10f26302384a

SHA256
722971e2ab612a6f58645c5751d65f8984f2da1238c284ffbe06351b3e1edd96

SHA512
2789a472e5437e315ce689da0bb835c9988aa669c8ace8b3b6ac511c8b36f2490d57b9cc521390d3ab674e07b0316bf92d74c0f59332e91914776d80661521b2

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
159KB

MD5
9b4e1478cbc437f89de5b0cadefff4ad

SHA1
c0bfe93cf04366622fae0e1245965b9056592209

SHA256
dc750e9bf6407845ff50aba636f44d0a7b9d708b748e8ef38ec47c3450667f48

SHA512
2500058ea40b74f1fce3e62f8c5153993fb9949a6651223b59e4b283da10ec341f88be954a19a424a47dfd966dddc87a3ddb6a413a5f5beec8c1b7e53b866002

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
159KB

MD5
c92707bd0331e67fdb8d52fe71f03dea

SHA1
25533ba731bb8696d3a188c4ef213390a916548b

SHA256
e22e435bf4c1f62bb7977c7d959fc746f937d8334b50c42bb63f7121c255192d

SHA512
327d2031085f39ba7f1ec9e3122b0a7da699a5736b5ca9354f97641ad1e6eb9c77f7050a47c291b68b532d398fc2733ce684cd484f3c95867db5829d304453e5

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
159KB

MD5
57e8b8cc58e52c46761e3d0603807b95

SHA1
e42a9a997d774d20a267e7bdd6c4fc278b0d6f5a

SHA256
72cb4fca0207da2721502bf2e7d2adac0943e36d2d38a91a86b1bee6ad270385

SHA512
d3edfad413c6f9f1f56fec5e6961c686832f8e2d0a3495e8003fb4221f492e5681109296b2a4d7778bd2f3bb65ae01496a6fd0e13b5f766bb88fb87b51caa4fc

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
159KB

MD5
bbbf3729ce0d7da8a887f6b4661ca4f0

SHA1
1b704d3dce147f62a61de9f41fefd25563608af0

SHA256
a3236c0049a17a02d2725b63c48ed63b1266991744dacf20b696e84fc660798d

SHA512
de5ec25c776ceb3805ad87a290e1d0d154282c3f766da88342f87d4ab28edc6f715e6afa1ffcdc1729118186fb1efe01ce448f1828ccf48505f1b7504bcdae56

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
159KB

MD5
baf1f741efb4decc6118603f01a95bbe

SHA1
a3fb1a421f2a003d135e85afccd14f443aa02a02

SHA256
a191d11674ee633cb3a46f8e6bfa62960d5d2f3fb66190009a6e3a12142ca7e4

SHA512
5ec6189f8bed38aafd3b639a0a182271d8230e60008da41cb5d45ac21416280f52e564850d98a2cab2b1fa9a52d67a688950d244436939a11e78924f1081f653

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
159KB

MD5
a9e50165f36ee9acb4aa4d80365e4bd8

SHA1
e23abf3fa8e8baa6632316f149761f98eb55774c

SHA256
a475e857be892a72e30184779e8984f3dc18544d68d8771e06846c9bf6800f43

SHA512
2a193b5212ae443c1afc105183213d81a775cb49c2e131d9b22eaba44e4bf8ccc2bad0dab827a4c351841d372340cd8ac703e25f252486db49fbac24531694a4

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
159KB

MD5
ab6134fdb75c5a097774d6b92b85931e

SHA1
3df96fcf94b7ff9e384c0c0390831fa31a298c00

SHA256
74c540bafd529db94c7ac235dcb27df8c9cd3c080a481b483de6ba730c9addb5

SHA512
7f395cdbd473d492db642264269757eabde78889008a5da9807ba34cefdb8e9bbb6f1ea85382f9df2758ccdb8bd6e4551866fe53523f5ffd2ca26a231eb1b502

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
159KB

MD5
3b46a803178ca74ec5c9353b4f12ece6

SHA1
36a87a03fe702cdf8ba1259463721b80b65a3fab

SHA256
642fc73ec27d623ab8d14afae740772c2b4aab1343354d5050922a69e7d0209b

SHA512
a8c378e90abe26f10d1d14178cf2b8a00a386d91336d09e5082c19bf0463e99cda6fbbd92adf5deef57fcc72ddfa44c7dd600cdef5d07c47fe7bff5ce06ac127

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
159KB

MD5
ccf099efe014f39186933654d98cb561

SHA1
7c0c626d819cbea0ff5843d45a16c8c6089161c4

SHA256
fa138abcaeed50fd5d922419a5c0611351e0b767815b3bbd3bb82b6c3081922e

SHA512
a8323436df90af941dc5e4bfcd44645786e5cffed534f3fa56cd697b824f75dcb8db036c2517c1917faed654555e2df041e63401da711eb0166030719419410b

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
159KB

MD5
61da996bb2674739ebca4e5a36dbc172

SHA1
49d96e207e0528eb54e55890c90cc5f417fcce17

SHA256
a82f0d03857f8ce61e4686bef722daa35ef33ea01695e4e6909e3667683a7b74

SHA512
f1cfc93f8407bb3846d483f849123bcf675c91e664d4579b4f4b17025cadbc7e5534ff4a67641aa8fd0bf873a88c294b343da65d1f365aaab7d83f8b19d38918

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
159KB

MD5
4c3335d6347e2efa432fa7c50c7da1f9

SHA1
e14e8d0087b0e861fcfb79cdbbfa22e9c463ec16

SHA256
c8a96dd8e5c060678bb4484e5850926095da213b4184722cff791d8410970cd9

SHA512
834d3a185f03e0ce729a5ab82bc42295788d8e608e017134137351ab00e7dda1878a03d9c3e380e41cf231091e8b90995983fe066aac2be155d81913dec4dc23

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
159KB

MD5
150d9f2211b53477bbf89b00ae9b55e6

SHA1
f87baccab902c465996a5eccb2dc599883456c65

SHA256
ee3eaa6ce2a5a256da3d6a548643407623537b32dc6a1ce5f5904d8c3412e969

SHA512
f100ec3a4dee9b6d4d493c8609955f881342c86e9c2ead18a0e20c515b5df63eb2ac6f47d91532e84b0fb3e3bbebd4d6f781acd4bd2cd6f6653dc619b5e89a64

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
159KB

MD5
860b2a8baaef4ecd65b5163faad973c0

SHA1
a9cf7b9872d10fa28adae3da692dba7b953622fa

SHA256
9988be861bf43c70ece5c75ece98650ee52d8c94c8538d35848bedc4e43b487a

SHA512
ea6e6f45e4d143b737f2dbda248466127178ce88195879b3da2987071ed2c7a145592e2edbdc1ecfe05bd643664356e8338a4f0a2ef43215427908f6b708be26

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
159KB

MD5
e2be4d6fa6e18cc5db471d4e03af8917

SHA1
481979e3693aa2af71d5016571049fd53b8d101c

SHA256
27b87575555acd7b4404556c144b41f520da78f6527627dab0b0a945f4e23d27

SHA512
5bd7857143a25dc2a022a2261db1659cf2ce14db535b1d8ed364c353e4b11cd3438c42f418aec54d9c9ad66899d58ed06cd2af04348de4d8c883cedc1130e7d7

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
159KB

MD5
a41d81d87554375a07c10c3ce1ad8b10

SHA1
defdcf345815447508b7183fa8c02b58304ffc63

SHA256
0f8e859e12da84afa0cb2d0df4151a37244763ee0a82f1ed61891283ea31da8c

SHA512
e12f3cfa1ef720387dc6824c84c5183c1e8ada11980f72e6202c5ecb373588bd3c0c90611ee1398cd0e12b111c9f85a3ffb10e97b645bba2bcf18ccbe909fde7

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
159KB

MD5
ecf4e5719049daab93cd90e695c6f71e

SHA1
f4ac7c3342fdcdc4a5ad4f4cc8b15ce692351df4

SHA256
e2ce46d973ff980b8e0d1d7b3786d199d9c3265e7f21aa860eb646370f9437e1

SHA512
e9db5b8af6eaee721427fee729696dd9d100f1974f18fd1ab93a59b85775d2602fcf9154f232eeff7fda13c5b0ff39e7ccc34a239d88709f3f5b0960cd9c30fd

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
159KB

MD5
dfb7649391e5f5ce0c1e5528ed780b55

SHA1
a509289bacc5debcd2bbdcf17f3936371f0c13e6

SHA256
e93565f4802caa7170a125e611964643780490ef889c20936912a71a0089f600

SHA512
5f628d7b2c18381ee05eedd7ec897bca34ab14dadc412422c622ed48f0bba00261ab4be599acfc7d53a6f327ec250adb3c8cba4c514eb867e7988d8b1dcebe78

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
159KB

MD5
466012949202a47dbabc0571a8987fe5

SHA1
b978c9838cee4612d39009a354f5b611917ed8ae

SHA256
dc32af56143c7c915a76a1ba5bd3d6954cda54f68f11d77d1928e50f030568f2

SHA512
fbb7fe34340d58fc779556495000d3e0e41c4edda68e91d606e6eb5828359b5990fec0db68206cf602ebf21f7af18f27697331c3d284a04216cf0af77a2e0aac

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
159KB

MD5
c4b8fbd5b51e0ac77ef90b501de563f4

SHA1
e3cd1827eaf539d03814d4fb019853c9170b23dc

SHA256
37ce75ab1afa3c30b6ee6cac1c9e65c31884809a9d2597db71a200d031137d81

SHA512
56fc252691593f3fe81151ae12bac52f67d59e24eb7182799c5a4c07d4afa7002da1017d55e964cfa5f7840cc671f4127b28f90d18b8f9495b27e6be7aadd7fd

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
159KB

MD5
6cd390c299e5c22339a8a67637d8297a

SHA1
711735765ade493a0458b1937cac2d688ee86877

SHA256
c7dc28e9515fc01b546ed1ee05559a4345c137c2af0549de6327843acb33de13

SHA512
801ed4d5eb6ca9907e880b9cff81cf6a088e41798cc0c43faab0a6dea3ddcaa8f20e711c453a1295c9f936369fcef6246be1c1eb678a2ef652a29ee5cf2078b9

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
159KB

MD5
4a7818c2fbcc79ddb21bb097f4a88dde

SHA1
8b05806c1648ff9a46324167bc5f3cd63ba62f40

SHA256
77891d9bec9e76bb94b1711906b257cd75f9c780bba4b4def9c4cb6d69b4dc3d

SHA512
849d61b112aa88c51fc84fb5dd8d553e1c279d067f38dccbd7876c95cb1b30194c52ed88978e59c3b7bf51dd8dfeefa710ec657c50925d9374062857b039b00f

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
159KB

MD5
414f08cee099eed84ef079abe0e581a6

SHA1
792f5e94261eac2be320063eeab9b47e32477d1d

SHA256
c9ee485928d0174044701981075f8920022e941c1aa9f230cf4eadad00d62831

SHA512
62f69c08b7cfc61790022ba7bc6dad0248321a5be9ea8ecb6d89cb925e8fec0555c13f78ea4724d9adbe2503f0acb3fbcb735e226d9f5e3982a96a662b4fcbac

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
159KB

MD5
34cf4284731a6ee0f224263df144a3bb

SHA1
40c5761b369208a9848bc79fc33fc18ac44e3965

SHA256
cb7e2778321f4a73385caf569f468dbb5f93c5b9fc3b34052256f9de3b7d651e

SHA512
1995f394e915dbdeafdd283c111f06e8b209da93cbc6757d1f3c31c4a3dddeb8ee71ae38a1c86241468d346835f29cdbe9058aece7ad78694db19befab34c0d5

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
159KB

MD5
ae5ec641fe18afb9fd9e06f70188435b

SHA1
56ea36fb0eab352853289ed74ac73d20d3bef0a4

SHA256
3482dcf10d652f152c91df02f5c2b282516bc1ac4f8e35711c573f79f8b99619

SHA512
71e2b8066396814d8f1707754966ed46bf649247a85d0a739c96605bd32ae4b18fa7bcf667332b1c4050822957098f029724d202cc8eb22ba8138f5d3f6f0b70

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
159KB

MD5
b148eb418990dec6d2efcc179096dbf6

SHA1
8b29a95bbc7adc1a2b4405905d2f25ec3ebeb95e

SHA256
42c1f8ff4d01f8e6b94edba1b6e61f931870ea679535e20dbcb6ba58409dc23b

SHA512
e3313c7f3ee1af5770331a03b6fd55c7be61cf4bea8b184de39badfde6ef6b4246bdb92380f405f7a82e750b5d337a6a41b43ab7c297eb3f23b624fb21597dc3

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
159KB

MD5
aaa5e5ba77a53d10a3f9b5ecfac8739d

SHA1
7cac4cb8158105659c956dc492e36ac81d2cf321

SHA256
3238d8d2fe89b555e26085d8eff9bd6f380312bf3cb7a17d93bcdd5345bdbc2a

SHA512
f3bae7999cfd51521b314b5aa47aff4dca5e34d23a29ee5388647c4ad2a7614bfe5ea77b7fabfd46b53aa61d803eb01b5a44028331d0798b9634f00f01fc5fc3

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
159KB

MD5
81e4580a45d0d4841143ee72550ad134

SHA1
777ec1a7c7f211004f947a4b4e5a87a9b6b90f85

SHA256
ce5ec36a943383302bed48e95a28ad41db3275230226efae99863f950f3c18f5

SHA512
c74df75dc7022482060ee01e38c5b1c58b92bdb30072058a9d69a5e171208950df30acca982e3fc956aa27f102fcf98c7baf0fec55f9399ba1648bd8b63059b9

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
159KB

MD5
9bad3febe22b5dbb8ad56ad8ead142e4

SHA1
c677740e94003bb98bb46081dc352f401bd5c8f7

SHA256
f836f34b0b554b765999ec3c648efc75d58027a1212057a726287f8b62789dbd

SHA512
358bc3773fb4ab0c13b08250dafa8333078abfe6b7a972fc6b394f5bcb527d43724eb2edf0a1b783c4bc36dfba170f1e1aa9c16c031ac1cbdb3c89b26e5b7b37

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
159KB

MD5
feb0fad9264c73891e9ea14f57f8fc7d

SHA1
6e4d3a33785166d922119488b224fee8b5e97ab6

SHA256
87cffa5a31004a5b4690507d538536ddcfe1ff0e24134ab413d881b4a488d927

SHA512
0fca952c1cc23cb03c1d47bff09a4e3260415d29b5a612b35122cbf491a664554865868282a86651871c88a7fa74301ddbef2a4edd43ad0e8d519e892a55708d

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
159KB

MD5
3ec0f868c5a1190400390a141bfeb01a

SHA1
d073b127a2e89da90e23f1eec42b0d24962426db

SHA256
c71a0ad5c226bd613fe7dd3ff8877623351262791b2d842b0672bb8a5f603e74

SHA512
49e4ca27f2412c03c209c95a221ba2169a06e0c263cdaea51b66ec86d07e82242cab4252f21af31e5736e0987ef14db5753c26d90a260e7c84e2bceba528c55b

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
159KB

MD5
b9096b13a0f3ef6b35dba712dfa3db80

SHA1
57b3c0f04d9bb00bf537ad2cd041cf7d1b660881

SHA256
ce43612923865dc759c2a8c94c187d6cbea898cc4b72b077e833ba30b1dfc276

SHA512
21bbd454cbcec68ef743a1d91f3556dd40f548c03c4d7883584057e8ec09cfc49df97c59fbe6c5db1e5e175eda84e131ac8d14a058ad891d16558cf2c961740a

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
159KB

MD5
4a606a7086e537ce5de28cc357ca1c8b

SHA1
eb7863dd428e47e93e510c95991213edc71247d1

SHA256
9961aec55025306cd0ef970d78d3a778695e387b075a357bf82970ce831a124e

SHA512
cc294ba487547fa5e96947ae848097dcd3c2bf086862a2663ea9ffab5dbb09a985629ed3ba92517744edfc28817db2b8b8d0a7a5165351032bfd8d466f70a1bd

Download Submit
memory/208-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/324-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/444-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/724-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/900-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/932-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-802-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-602-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-613-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3632-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3800-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3972-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4140-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5164-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5240-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5284-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5328-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5372-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5412-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5456-600-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5492-601-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5552-614-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5852-710-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads